Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: infocon.txt issue SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
infocon.txt issue
Hi,

someone using infocon.txt?
I notice this is gzip encoded, no gain just more data traffic.

-rw-r--r-- 1 root root 25 May 4 13:33 green.gzip
-rw-r--r-- 1 root root 6 May 4 13:34 green.txt

And harder to use off browser, because you need include gunzip code in application.
Nelson

2 Posts
Nelson, how exactly are you coming up with the files? isc.sans.edu/… should only return text. I checked it using curl and wget. Brad

361 Posts
ISC Handler
Hi, thanks for your interest in this problem:

Using curl (direct to Internet, no proxy):
$ curl https://isc.sans.edu/infocon.txt
K/JM�!��

When I check headers I seed:

HTTP/1.1 200 OK
< Date: Thu, 05 May 2016 11:25:19 GMT
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 25
< Connection: keep-alive
* Server nc -6 -l 80 is not blacklisted
< Server: nc -6 -l 80
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-HeyJason: DEV522 rocks

[...]
< Vary: Accept-Encoding
< Content-Encoding: gzip <<<<<<<<<<<


Using curl pipe gunzip I finally get the text:
curl -s https://isc.sans.edu/infocon.txt | gunzip
green

Thanks again.
Nelson

2 Posts
Hi, I logged this issue last year via email to the handlers.

The problem is intermittent... most of the time you get plan text, sometimes it's gzip'd.
I thought it was a bug in ISC code as wget won't ask for gzipped version in request headers but server responds with compressed file anyway.

Was on an old work email address but hopefully the handlers have an archive somewhere... a search on my surname should work.
Anonymous

-

Sign Up for Free or Log In to start participating in the conversation!