Jump to content

Hafnium related? False positive?


Recommended Posts

Getting alerts today on some of these (Exchange server):

 

Object URI: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/Temporary ASP.NET Files/owa/8e05b027/e164d61b/App_Web_oierlfno.dll
Severity: Warning
Detection Type: Trojan
Detection Name: MSIL/Webshell.BY
Object Type: File
Action Performed: Cleaned by deleting

 

Anyone know if this could be legit or false positive? Thanks

Link to comment
Share on other sites

I'm also just now seeing this on the same APP_Web_%random%.dll files on multiple Exchange 2016 servers that have no open HTTPS to the internet and the file date from months and months ago... Also briefly checked the strings of the file and I don't see anything obvious or any other drops in the same folder as would be expected.

I've reported the file to samples@eset.com as a possible False Positive but it would be great to have someone from Support confirm this issue.

Thanks

Link to comment
Share on other sites

9 hours ago, rgoldman said:

Getting alerts today on some of these (Exchange server):

 

Object URI: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/Temporary ASP.NET Files/owa/8e05b027/e164d61b/App_Web_oierlfno.dll
Severity: Warning
Detection Type: Trojan
Detection Name: MSIL/Webshell.BY
Object Type: File
Action Performed: Cleaned by deleting

 

Anyone know if this could be legit or false positive? Thanks

Same question:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\owa\8e05b027\e164d61b\App_Web_n01xcmt3.dll - eine Variante von MSIL/Webshell.BY Trojaner - durch Löschen gesäubert

Link to comment
Share on other sites

I got this last night and I guess it is related:

18/01/2022 00:33:25;

Real-time file system protection

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\owa\8e05b027\e164d61b\App_Web_juze3jwd.dll;a variant of MSIL/Webshell.BY trojan;cleaned by deleting;NT AUTHORITY\SYSTEM;Event occurred during an attempt to access the file by the application: C:\Windows\System32\inetsrv\w3wp.exe (54443C275EDDD9BBE75C6D47CF9C24076B5D785C).;5971F579EDDD90CA4A80DC99DFD29B329D7B9360;12/01/2022 21:49:10

Link to comment
Share on other sites

I'm also getting this on some EX2013/CU23 and EX2019/CU11, all patched with SU 01/2022 (and Mail Security 8.0).
In addition, two servers have the same detection in c:\windows\temp (?!!), all within the last 18 hours.
Getting a bit nervous...

If anyone got news, I'mlooking forward to hear about this...

Thanks!

Edited by VoNovo
Link to comment
Share on other sites

I also received this response from samples@eset.sk:

 

Thank you for your submission.

It was a false positive of our scanner and this issue is fixed in current version of detection engine.

 

Regards,

 

ESET Malware Response Team

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...