Question

Does WebRoot detect the recent Exchange Server web shell backdoor/malware

  • 19 March 2021
  • 1 reply
  • 119 views

Microsoft has added detection in WINDOWS DEFENDER for the “infection” by the Exchanger Server ZERO DAY OWA attack that was active between February 26 and March 3. 

Does WebRoot detect the presence of these web shell back doors on Exchange Servers.

Security Outfits have been running a worldwide inventory of the IP addresses with OWA exposed and sending the owners warnings and recommendations.

I checked our server for several indications a week ago, but just receive another warning that we are probably infected, with WINDOWS DEFENDER as the recommended detection agent.

Please review the information below and check for indications of a web shell which could be identified as “Chopper” or “ASP/Chopper” or similar by Windows Defender.  Please be aware that this form of compromise may enable second stage or derivative compromise activity and a full incident response activity is recommended.  Please see the below links for more details.”

We have WebRoot on our Exchange Server which means that Windows Defender is disabled (actually not installed)

     


1 reply

Userlevel 7
Badge +17

Hey there @swbca ,

I just spoke with the threat team about this and they said the following:

Make sure you have Evasion Shield set up and configured correctly. Contact our business support team if you need assistance.

If you are compromised and have the ASPX files in the directory C:\\inetpub\wwwroot\aspnet_client\system_web\ then patching will not remove the compromise

Attached are a couple docs that go into more detail.

 

Reply