Jump to content

Help Decoding CGI Dump


rayh
 Share

Recommended Posts

This my first post so I hope I'm in the right area.

I have a personal vendetta against this one spammer. He has been spamming me for many months now at about 30 messages a day using a personal e-mail address that I believe he got from someones contact book. He appears to have a fairly sophisticated approach. He owns many domains and is registering new ones regularly. Each e-mail fetches images from one of those domains with individually identifiable links in the e-mails (www.abcdedgf.domain.com). He also uses fake registrant info.

Months ago I turned off my preview window after I realized he was using these identifiable links to determine if I opened the e-mail. Prior to this spammer I received almost no spam at that e-mail address so I didn't' worry so much about the preview issue.

I'm trying to hit this guy from many angles. I have lodged complaints with the registrar about the fake names and the spamming, though I don't expect much. I have also complained to some of the businesses he is advertising for by using the affiliate ID. I think this might have more of an affect since advertiser probably doesn't want to pay out for click-throughs on poorly targeted spam. And may of had an effect because he has now implemented a system where I can no longer capture the affiliate ID.

Now to my point. I have found a way to get a dump from server with a test.cgi command. I'm curious what can be learned from the dump and if there is information there that would help out my cause. The original domain resolves to 208.70.175.70 but there are references to 68.168.97.168 and 68.168.97.247 so I'm not even sure who is hosting this server.

Thanks in advance for any help.

Ray

http://www.xxxxxxxxx.datalemtiaz.com/test.cgi is the URL used and it produced the following dump:

SCRIPT_NAME = /test.cgi

SERVER_NAME = www.xxxxxxxxx.datalemtiaz.com

SERVER_ADMIN = root[at]localhost

HTTP_ACCEPT_ENCODING = gzip, deflate

HTTP_CONNECTION = Keep-Alive

REQUEST_METHOD = GET

HTTP_ACCEPT = image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

SCRIPT_URI = http://www.xxxxxxxxx.datalemtiaz.com/test.cgi

SCRIPT_FILENAME = /home/benp.offersonline.org/public_html/test.cgi

SERVER_SOFTWARE = Apache/2.2.3 (CentOS)

QUERY_STRING =

REMOTE_PORT = 3244

HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E)

SERVER_PORT = 80

SERVER_SIGNATURE =

Apache/2.2.3 (CentOS) Server at www.xxxxxxxxx.datalemtiaz.com Port 80

HTTP_ACCEPT_LANGUAGE = en-us

REMOTE_ADDR = 00.00.00.00 (I zeroed out my IP)

SERVER_PROTOCOL = HTTP/1.1

PATH = /usr/local/bin:/usr/bin:/bin

REQUEST_URI = /test.cgi

GATEWAY_INTERFACE = CGI/1.1

SCRIPT_URL = /test.cgi

SERVER_ADDR = 68.168.97.168

DOCUMENT_ROOT = /home/benp.offersonline.org/public_html

HTTP_HOST = www.xxxxxxxxx.datalemtiaz.com

Working Directory is: /home/benp.offersonline.org/public_html

--------------------------------------------------------------------------------

Hostname: 68-168-97-247.phx.dedicated.codero.com

Kernel: Linux

Version: 2.6.18-164.15.1.el5PAE

Release: #1 SMP Wed Mar 17 12:14:29 EDT 2010

Hardware Type:i686

--------------------------------------------------------------------------------

Main IP interface: 68.168.98.49

Hardware ID: 00:26:18:92:C2:A5

--------------------------------------------------------------------------------

ALL PERL MODULES FOUND, Successfuly tested and works.

--------------------------------------------------------------------------------

DBI -- 1.42

GD -- 1.19

GD::Graph -- 1.44

GD::Text -- 0.86

HTML::Parser -- 3.60

HTML::Tagset -- 3.03

Image::Size -- 2.99

LWP -- 5.825

MIME::Base64 -- 2.12

Net -- ok

Perl -- 5.8.8

--------------------------------------------------------------------------------

Edited by rayh
Link to comment
Share on other sites

Don't know about interpreting the CGI dump but there are a number of resources that give you the information you are after:

http://www.robtex.com/dns/datalemtiaz.com.html#records (and other tabs - the "Shared" one indicating 51 domains hosted on 208.70.175.70 - not to say they would all be his, that would usually be unlikely)

http://centralops.net/co/DomainDossier.aspx (select domain whois record, network whois record, DNS records and service scan

Which seem to indicate this sleezebag is off the air just now (and probably scurrying from one provider to the next as internet vigilantes keep whacking him).

http://whois.arin.net/rest/nets;q=208.70.1...;showARIN=false indicates he is currently hosted by cooplabs.net (OrgAbuseEmail: abuse[at]cooplabs.com) who could be in the process of either taking him in or throwing him out - hard (for me anyway) to tell which.

Link to comment
Share on other sites

to my point. I have found a way to get a dump from server with a test.cgi command. I'm curious what can be learned from the dump and if there is information there that would help out my cause. The original domain resolves to 208.70.175.70 but there are references to 68.168.97.168 and 68.168.97.247 so I'm not even sure who is hosting this server.

Thanks in advance for any help.

Ray

://www.xxxxxxxxx.datalemtiaz.com/ test .cgi is the URL used and it produced the following dump:

No disrespect Ray, but I don't see anyone trying out your scri_pt since we don't know what actions it will actually perform...

In fact I'm not clear how you got access to this cgi scri_pt on the server in question.

Andrew

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...