Exchange Server where hacked - Hafnium

[Wolfgang_May]

Our exchange server was hacked. I installed malwarebytes for teams on all servers and checked them and malware was found and removed. But there is still activity on the servers. It seems that there is still some malware running and not removed. The MSX services are stopped and not running. A scan of the malwarebytes software does not detects any problems, but the software seems to block some outgoing activities.

 

What can be done to make all the machines clean and to be sure that all malware is removed.

Attached you can find the support log and some screen shots of the blocks from Malwarebytes.

 

EXCH.zipDC02.zipDC01.zip

Thanks

 

[Wolfgang_May]

Additional information:

3 servers shows this outgoing activity which is blocked from MWB

DC02 shows the most activity and also the DNS is changed automatic to 8.8.8.8 and 9.9.9.9 - if i correct these settings after a time the malware changes it back.

DC02 is a a Windows server which is the Domain controller, MSX is installed on an other server. (see logs from EXCH)

 

[TwinHeadedEagle]

Hi,

Can you provide a AnyDesk access to these severs as it would be faster to diagnose the issue and remove remaining malware?

[Wolfgang_May]

Yes i can do it, how we can communicate to send you the ID´s for the different machines - my email is DELETED

Edited March 22, 2021 by TwinHeadedEagle

[TwinHeadedEagle]

Sent you an email.

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you