Wednesday, October 14, 2015

Checking OWA.. Is Mine Hacked?

We've recently had a number of our staff ask about the recent OWA hack. To appease their fears, I went through and checked my OWA boxes to make sure that the OWAAuth.DLL hadn't been replaced or re-registered using a hacked version.

$servers = @("OWAServer1","OWAServer2") # get-ExchangeServer
$sbFileVersion = {
$FilePath = "C:\Program Files\Exchange\ClientAccess\Owa\auth\OWAAuth.dll"
Get-ChildItem $FilePath |  Select-Object Name,length,@{Name="Version";Expression={$_.versionInfo.FileVersion}},LastWriteTime
}
Invoke-Command -ScriptBlock $sbFileVersion -ComputerName $servers # | group fileversion
$SBRegistry = {
 #Return installed folder path for OWAAuth.DLL
 $RegKey = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\66A06D0DD155D354CB4C311E0ED2EE9D"
 $RegValue="AE1D439464EB1B8488741FFA028E291C"
 (Get-ItemProperty $regkey).$regvalue
}
Invoke-Command -ScriptBlock $SBRegistry -ComputerName $servers 
This does two things. First off, it checks the install path of the OWAAuth.DLL and returns the version and size of the file. I skimmed these to look for differences in the installed files.

Second step, it checks the registry on these same servers and looks to see what's registered. I visually checked to see if the path in the registry matches the install path. (Those registry values I found by searching one of my OWA box registries for the filename.)

My server running Exchange 2010 SP3 RU10 returned:

Name               : OWAAuth.dll
Length             : 104632
Version            : 14.03.0248.002
LastWriteTime      : 5/27/2015 1:47:42 PM
PSComputerName     : OWASERVER1

C:\Program Files\Exchange\ClientAccess\Owa\auth\OWAAuth.dll

No comments:

Post a Comment