tian 0 Posted May 16, 2022 Share Posted May 16, 2022 Every time I open Outlook client, EEA prompts JSExploit. Cve-2021-26855. If I disconnect from the Exchange server and open the Outlook client, I won't get this message. The exchange server was scanned completely using EFSW and no threat was found. How can I further judge the problem? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted May 16, 2022 Administrators Share Posted May 16, 2022 Do you have ESET Mail Security for MS Exchange installed on the mail server? What version of EMSX and MS Exchange is it? Is MS Exchange fully patched and all security updates are installed? Link to comment Share on other sites More sharing options...
tian 0 Posted May 16, 2022 Author Share Posted May 16, 2022 The customer uses exchange2013, installed on windows2012. EFSW8.0.12011.0 is installed on windows2012,not EMSX. All Microsoft patches have been installed for Windows 2012. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted May 16, 2022 Administrators Share Posted May 16, 2022 Please check your personal message for a list of logs that we'll need from the server. Link to comment Share on other sites More sharing options...
ESET Staff JamesR 52 Posted May 16, 2022 ESET Staff Share Posted May 16, 2022 Its likely that the external URL for OAB has a WebShell one-liner in its URL. To check for and to remediate this, please do the following. JS/Exploit.CVE-2021-26855.Webshell.H is an IOC detection which simply means your Exchange server was exploited in the past by this CVE. Ensure you your Exchange server is fully patched, and then perform the following to remove the remnants of attack. Check the following on the Exchange Server: 1. Use a web browser to access: https://127.0.0.1/ecp a. Login with an admin that has enough rights (might require exchange admin) 2. Click on "Servers" on the left 3. Click on "Virtual Directories" tab thing in top middle area 4. double click on "OAB Default Website" (OAB = Offline Address Book) 5. Check what is in the 2 URL fields a. Internal URL b. External URL 6. Copy and paste any suspicious URL fields into Notepad (with word wrap enabled) and then save a screenshot and discard the Notepad a. Saving the raw text will cause a detection by ESET. 7. Save your changes and then move on to either rebooting the exchange server or restarting IIS. a. Without restarting IIS, then the IIS server will continue to host the AutoDiscovery settings which cause detections on endpoints with outlook. Here is what this looks like on my non-compromised test environment: Restarting IIS (or just reboot the server) Open "Internet Information Services (IIS) Manager" (Windows + R > inetmgr.exe) Click on your server name in the list (mine test environment showed: SVRSANDEXCH (DEMO\Administrator)) On the far right under actions, click "Restart" (or you can right click on the server name and choose "stop" then "start") This made outlook on my test workstation go offline for about 30 seconds (likely longer in a production environment) and I no longer got any of the cached OAB URLs which caused detections. After this, all endpoints may get one, or more, final detection as they clean up any remaining copies of AutoD/AutoDisovery XML files, but the total count of detections of webshells per day, should go decrease until you no longer have any of these detections. itman and Aryeh Goretsky 2 Link to comment Share on other sites More sharing options...
tian 0 Posted May 17, 2022 Author Share Posted May 17, 2022 That's very helpful. Thank you very much,@JamesR @Marcos Link to comment Share on other sites More sharing options...
Recommended Posts