Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Answers 1 answer
  • Subscribers 18 subscribers
  • Views 9667 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CXmal/WebAgnt-A continuously intercepted by Sophos on Exchange Server - Have I been hacked?

Matteo Vinti

Hi,

I have an Exchange server 2019 wich have not been correctly patched since one month ago; it had Sophos Advanced Endopoint installed allready + Sophos Firewall Intercept X in front (protected by WAF - no DNAT)

I started questioning my self as soon as I noticed some notifications about Sophos deliting some "CXmal/WebAgnt-A" in www/inetpub folders

Searching around I saw that these might be related to ProxyShell vulnerabilities, this server wasn't correctly patch with last cumulative updates so I did everything it needed...

Then I made a quite deep search with Micrisoft Scripts (TestProxylogon + others found here https://github.com/microsoft/CSS-Exchange/tree/main/Security ) and nothing came out so I thought I should be relaxed that this server has not been compromised...

...but then Sophos keeps intercepting this "CXmal/WebAgnt-A" so, my question is: is it normal that I see these notifications? in other words Sophos is doing it's job so there is nothing to worry about?

or may I have to watch something else in this EX server that I didn't realize with those scripts?

Thanks in advance.



This thread was automatically locked due to age.
Parents
  • 0

    What does a sample path or two look like to a detected item?

  • 0 in reply to Sophos User930

    It looks like this 'C:\inetpub\wwwroot\aspnet_client\aaoeu.aspx' (name of aspx is different every time. Up to now it happened reandomly and not under a "time schema" so it doesn't make me think about some bad service or exe in the exchange itself still runinng...

    To give other people more infors, Yesterday I dedicated lot of time to every single row of advice, I don0t have XDR service but I ran trhough all those queries and have found (and deleted) these:

    <virtualDirectory path="/auth/部/hKMhI" physicalPath="C:\ProgramData\COM1\hKMhI" />
    <virtualDirectory path="/auth/笔/dorkU" physicalPath="C:\ProgramData\WHO\dorkU" />

    They seemed soem sort of "not genuine" configurations (they were in C:\Windows\System32\inetsrv\Config\applicationHost.config)

    Since I have deleted them, no more interceptions by Sophos, but maybe it's just a coincidence.

    If anybodyelse got other informations would be really appreciated

    Regards

  • 0 in reply to Matteo Vinti

    I am getting these detections for CXmal/WebAgnt-A occasionally as well and I also had  these strange  settings in the applicationhost.config file.    The directories do not exist so I can only think it never made it past the config stage.   I deleted them and will see if the detection happens again..

    virtualDirectory path="/auth/部/hKMhI" physicalPath="C:\ProgramData\COM1\hKMhI" />
    <virtualDirectory path="/auth/笔/dorkU" physicalPath="C:\ProgramData\WHO\dorkU" />

  • 0 in reply to Robert Coats

    Hi Robert, since I have deleted those, no more notifications so far; I would be interested in knowing if it will be for You also... thanks

  • 0 in reply to Matteo Vinti

    Now  I  get the CXmal/Webagnt-A    from a process on exchange c:\program files\microsoft\exchange server\v15\bin\msexchangemailboxreplication.exe   which is reading from a PST file someone created and writing a file to \\127.0.0.1\c$\inetpub\wwwroot\aspnet_client\llplckqxnci.aspx  which is immediately detected as a Virus and deleted.   Looking at how this is happening now... I have used all the systools to verify files and check schedualed jobs ..   Could it be the user computer running some schedualed mailbox replication job that is creating this?    

  • 0 in reply to Robert Coats

    Hey, do you have any update on your findings? I'm running into the same issues. Thanks.

  • 0 in reply to Christoph Knaak

    I narrowed this down to Shadow copy process that our backup solution VEEAM uses to back this up... When I cleaned all the servers hosting VEEAM and the administrators PC ... This problem has gone away for now.

  • 0 in reply to Robert Coats

    Interesting, the Exchange I'm looking at is also being backed up by VEEAM. Do you have any further details on what you did exactly regarding the Shadow copy processes? What exactly do you mean by "cleaned" all the servers hosting VEEAM? Like, run a scan on the server that is running the Veeam Backupserver? Thanks in advance.

Reply
  • 0 in reply to Robert Coats

    Interesting, the Exchange I'm looking at is also being backed up by VEEAM. Do you have any further details on what you did exactly regarding the Shadow copy processes? What exactly do you mean by "cleaned" all the servers hosting VEEAM? Like, run a scan on the server that is running the Veeam Backupserver? Thanks in advance.

Children
Unfiltered HTML