The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Webshells on Microsoft Exchange Servers

Description: This query looks for suspected webshells in the locations they are commonly located, while filtering out the legitimate files that may sit in those paths. Updated with additional file paths to include user paths and programdata locations.

What The Data Shows: This query is helpful in running a quick scan to find potential hosts compromised with webshells. May need tweaked to location of exchange server depending where installed.

SQL: SELECT path, datetime(atime,"unixepoch","localtime") as "Last Accessed", datetime(mtime,"unixepoch","localtime") as "Last Modified", datetime(ctime,"unixepoch","localtime") as "Created" FROM file where path like "C:\inetpub\wwwroot\aspnet_client\%.as%" or path like "c:\inetpub\wwwroot\aspnet_client\system_web\%.as%" or path like "C:\Users\All Users\COM\%" or path like "C:\Users\All Users\COM1\%" or path like "C:\Users\All Users\CON\%" or path like "C:\Users\All Users\WHO\%" or path like "C:\Users\All Users\XYZ\%" or path like "C:\Users\All Users\ZOO\%" or path like "C:\Users\All Users\ZING\%" or path like "C:\programdata\COM\%" or path like "C:\programdata\COM1\%" or path like "C:\programdata\CON\%" or path like "C:\programdata\WHO\%" or path like "C:\programdata\XYZ\%" or path like "C:\programdata\ZOO\%" or path like "C:\programdata\ZING\%" or path like "C:\program files\microsoft\exchange server%\%\FrontEnd\HttpProxy\owa\auth\Current\%.as%" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\Current\%\%.as%" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\%\%.as%" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\ecp\auth\%.as%" AND path NOT like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\ecp\auth\TimeoutLog%.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\%.as%" AND NOT (path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\errorFE.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\ExpiredPassword.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\frowny.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\logoff.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\logon.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\OutlookCN.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\signout.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\SvmFeedback.aspx");

> Requirement: Tests successful.

2 Comments
TAR2
New Contributor II

I meant to mention to anyone using this query, be sure your exchange is in the typical path and not an alternate one. Adjust file paths as needed. 

jnelson
Carbon Black Employee
Status changed to: Approved

@TAR2 sorry this slipped through the cracks over the holidays. Thank you for your contribution!