Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
infocon.txt issue

someone using infocon.txt?
I notice this is gzip encoded, no gain just more data traffic.

-rw-r--r-- 1 root root 25 May 4 13:33 green.gzip
-rw-r--r-- 1 root root 6 May 4 13:34 green.txt

And harder to use off browser, because you need include gunzip code in application.

2 Posts
Nelson, how exactly are you coming up with the files?… should only return text. I checked it using curl and wget. Brad

422 Posts
ISC Handler
Hi, thanks for your interest in this problem:

Using curl (direct to Internet, no proxy):
$ curl

When I check headers I seed:

HTTP/1.1 200 OK
< Date: Thu, 05 May 2016 11:25:19 GMT
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 25
< Connection: keep-alive
* Server nc -6 -l 80 is not blocklisted
< Server: nc -6 -l 80
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-HeyJason: DEV522 rocks

< Vary: Accept-Encoding
< Content-Encoding: gzip <<<<<<<<<<<

Using curl pipe gunzip I finally get the text:
curl -s | gunzip

Thanks again.

2 Posts
Hi, I logged this issue last year via email to the handlers.

The problem is intermittent... most of the time you get plan text, sometimes it's gzip'd.
I thought it was a bug in ISC code as wget won't ask for gzipped version in request headers but server responds with compressed file anyway.

Was on an old work email address but hopefully the handlers have an archive somewhere... a search on my surname should work.


Sign Up for Free or Log In to start participating in the conversation!