Analyzing a Suspected Hacked Exchange Server

Suspect Exchange Server appears to be hacked. How to determine if it was a false positive?

Our security vendor detected that our client’s CAS server was doing a nessus scan in the internal network.

It’s not uncommon for this vendor to issue a false positive, but I’m looking for general guidance on how I should analyze this Windows based server if a hack was indeed attempted.

  • What files might be left over?

  • What might be modified?

  • How do I safely gather enough information to know if it should be nuked from orbit.

Answer

Could vulnerability be just like the routine scan? all white hat done by sec team. If this is the case you can verify through firewalls logs (depending if the traffic passes through it). You can use tool called volatility to analyze any changes in RAM or file-system. It gives you snap-shot analysis of the current state of compute security.

Leave a Reply

Your email address will not be published. Required fields are marked *