Rule: -- Sid: 2132 -- Summary: This event is generated when an attempt is made to exploit a weakness in Synchrologic Email Accelerator running on Microsoft IIS. -- Impact: Information gathering. -- Detailed Information: This event indicates that an attempt has been made to exploit a weakness in the Synchrologic Email Accelerator application. The attacker may be trying to gain information on the list of users allowed to use the service, this may be the prelude to an attack against the host using that information. -- Affected Systems: Any host using Synchrologic Email Accelerator. -- Attack Scenarios: An attacker can retrieve a sensitive file containing information on the list of authorized users for the application. The attacker might then gain access to the application as a valid user. -- Ease of Attack: Simple. -- False Positives: None Known. -- False Negatives: None Known. -- Corrective Action: Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. Ensure that the IIS implementation is fully patched. Ensure that the underlying operating system is fully patched. Employ strategies to harden the IIS implementation and operating system. Check the host for signs of compromise. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: --
