Our windows 2000 server honeypot in the NoAH testbed was attacked on 2nd June 2008. This is the story of this attack. The rough picture is:
- The attacker connected from 80.60.158.116 to our win2k server honeypot.
- Aim was to exploit a vulnerability in the WINS service at port 42.
- Date was 2nd June 2008 18:45 GMT +0200.
- The attack was not detected by the snort IDS.
- Argos raised an alert of type “RET”.
- The EBP contained the value 0×90909090 which results obviously from a stack buffer overflow. Thus, a false positive can be excluded.
