See if any of these ‘presents’ are on your servers…:
Chile’s Comisión para el Mercado Financiero (CMF) has disclosed that their Microsoft Exchange server was compromised through the recently disclosed ProxyLogon vulnerabilities.[…]
To aid security professionals and other Microsoft Exchange administrators, the CMF has released IOCs of web shells and a batch file found on their compromised server.
- 0b15c14d0f7c3986744e83c208429a78769587b5: error_page.aspx (China Chopper web shell)
- bcb42014b8dd9d9068f23c573887bf1d5c2fc00e: supp0rt.aspx (China Chopper web shell)
- 0aa3cda37ab80bbe30fa73a803c984b334d73894: test.bat (batch file to dump lsass.exe)
While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same.
Web shells using the names ‘error_page.asp’ and ‘supp0rt.aspx’ have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim.[…]