-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
exchange_webshell_detection
Discontinued Detect webshells dropped on Microsoft Exchange servers exploited through "proxylogon" group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
https://docs.microsoft.com/en-us/answers/questions/298536/fa...
https://github.com/microsoft/CSS-Exchange/tree/main/Security
Postfix.
But that’s only an MTA i hear you cry, Exchange does both MTA & MDA! Bear with me.
Postfix is software to learn from. It might be written in C but the architecture is the epitome of beautiful modular design. It’s not just the meticulous separation of concerns, the care and attention to detail, everything from string handling to memory management is pristinely handled. https://github.com/vdukhovni/postfix
Even at runtime the beauty of the architecture allows for a sysadmin to choose (via master.cf) exactly how the components should be composed to fit their needs. The defaults are crafted for minimum fuss if you just need to get it running ASAP. The software is ergonomic in addition to being artfully crafted.
So what does all this care and attention get you? Only 9 CVEs in 22 years, only 3 of which are code exec, only 2 of which are (maybe) remote code exec, only 1 of which is unauth user RCE - but very hard in practice to exploit.
Maybe it’s just not that popular? It was 1/3 of all SMTP servers on the internet according to a 2019 scan.
So it’s the best MTA ever to exist, but what about MDA? Well, that was the whole point. Compose well crafted components together to build a system. You especially don’t run part of your mailserver’s web interface in kernel space because, well i’m not sure why IIS/Exchange does that :-)
Unfortunately a few comments here have honed in on one contrived example of why I think this strategy is broken. To give another contrived example: I personally had a logon to this portal, but it broke last year when they integrated logons with Azure and it took me like three months to get it fixed.
The fact a critical security update can't just be downloaded is bad. I don't care if someone in sales thinks every licensed user should probably be able to get it. Here NCC produced a list of "valid" files to help people scan for not legit files. Except they don't have Exchange 2019 CU 8 because they couldn't get it:
https://github.com/nccgroup/Cyber-Defence/tree/master/Intell...
Microsoft has a hard limit (5?) on the number of individual accounts you can grant access and in a big enough org it's still plausible they'll be scattered across the world and you'll find none of them available the exact hour you need this update.
There's a powershell script to check your server here: https://github.com/cert-lv/exchange_webshell_detection
Related posts
-
CERT Latvia False Positive on their Detect Webshells Script
-
CERT Latvia False Positiver on their Detect Webshells Script
-
Windows defender quarantined Microsoft Exchange exploit attempt immediately & reset virtual oab directory. Am i still compromised?
-
cert-lv/exchange_webshell_detection - Detect webshells dropped on Microsoft Exchange servers exploited through "proxylogon" group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
-
HAFNIUM - Edited Files and File Left behind and other inquiries