CXmal/WebAgnt-A continuously intercepted by Sophos on Exchange Server - Have I been hacked?

Hi,

I have an Exchange server 2019 wich have not been correctly patched since one month ago; it had Sophos Advanced Endopoint installed allready + Sophos Firewall Intercept X in front (protected by WAF - no DNAT)

I started questioning my self as soon as I noticed some notifications about Sophos deliting some "CXmal/WebAgnt-A" in www/inetpub folders

Searching around I saw that these might be related to ProxyShell vulnerabilities, this server wasn't correctly patch with last cumulative updates so I did everything it needed...

Then I made a quite deep search with Micrisoft Scripts (TestProxylogon + others found here https://github.com/microsoft/CSS-Exchange/tree/main/Security ) and nothing came out so I thought I should be relaxed that this server has not been compromised...

...but then Sophos keeps intercepting this "CXmal/WebAgnt-A" so, my question is: is it normal that I see these notifications? in other words Sophos is doing it's job so there is nothing to worry about?

or may I have to watch something else in this EX server that I didn't realize with those scripts?

Thanks in advance.



Edit tags
[edited by: GlennSen at 3:35 AM (GMT -7) on 4 Apr 2022]
Parents
  • What does a sample path or two look like to a detected item?

  • It looks like this 'C:\inetpub\wwwroot\aspnet_client\aaoeu.aspx' (name of aspx is different every time. Up to now it happened reandomly and not under a "time schema" so it doesn't make me think about some bad service or exe in the exchange itself still runinng...

    To give other people more infors, Yesterday I dedicated lot of time to every single row of advice, I don0t have XDR service but I ran trhough all those queries and have found (and deleted) these:

    <virtualDirectory path="/auth/部/hKMhI" physicalPath="C:\ProgramData\COM1\hKMhI" />
    <virtualDirectory path="/auth/笔/dorkU" physicalPath="C:\ProgramData\WHO\dorkU" />

    They seemed soem sort of "not genuine" configurations (they were in C:\Windows\System32\inetsrv\Config\applicationHost.config)

    Since I have deleted them, no more interceptions by Sophos, but maybe it's just a coincidence.

    If anybodyelse got other informations would be really appreciated

    Regards

  • I am getting these detections for CXmal/WebAgnt-A occasionally as well and I also had  these strange  settings in the applicationhost.config file.    The directories do not exist so I can only think it never made it past the config stage.   I deleted them and will see if the detection happens again..

    virtualDirectory path="/auth/部/hKMhI" physicalPath="C:\ProgramData\COM1\hKMhI" />
    <virtualDirectory path="/auth/笔/dorkU" physicalPath="C:\ProgramData\WHO\dorkU" />

  • Hi Robert, since I have deleted those, no more notifications so far; I would be interested in knowing if it will be for You also... thanks

Reply Children