Notifications
Clear all

Obtaining & Decoding a .cgi script from a site

7 Posts
3 Users
0 Likes
401 Views
(@mindsmith)
Posts: 174
Estimable Member
Topic starter
 

Hi,

I'm working on a case & the trail leads to a site where data is being posted to an email address via the use of the relatively common user_formmail.cgi script.

I need to determine the email address embedded in this specific cgi file, and to do that I need to be able to obatin a local copy of the script. Any ideas?

I have been researching the subject, and have learnt a bit but not enough to achieve the task I have been given.

Any guidance would be greatly appreciated.

Thanks & Regards,

 
Posted : 14/06/2006 3:23 pm
(@rkamens)
Posts: 36
Eminent Member
 

deleted

 
Posted : 16/06/2006 8:25 am
 koko
(@koko)
Posts: 21
Eminent Member
 

sometimes these scripts are written so that they have to be passed the email address that they send to. so, look at the html page that calls the script and you will probably find the email address in a hidden form field.

 
Posted : 20/06/2006 11:22 pm
(@rkamens)
Posts: 36
Eminent Member
 

deleted

 
Posted : 21/06/2006 8:30 am
(@mindsmith)
Posts: 174
Estimable Member
Topic starter
 

Rkamens,

Many thanks unfortunately I cannot browse the folder, but have advised the ISP hosting the mcahine about the nature of the site (phishing related) and did a takedown on the front-end phish site. The primary site is offline, but the backend that has been emailing the captured data (to the attacker) is still up. I have reason to belive he is in the country I am currently working in & just needed the email address as confirmation. Have requsted LE to assist.

Thanks & Regards,

 
Posted : 21/06/2006 12:42 pm
(@rkamens)
Posts: 36
Eminent Member
 

deleted

 
Posted : 21/06/2006 5:14 pm
 koko
(@koko)
Posts: 21
Eminent Member
 

did you scour the html source of the phish site? have you tried passing your own variables to the cgi script (mimicking the fields of the script found elsewhere on the net) to see how it behaves? have you looked at the source code of a free version of that cgi script to see if you can hack it? you might be able to pass in some executable code. did you get your own account on the server to see if you can glean any info that way? like maybe there's a stats page that isn't secure.
just some thoughts…

 
Posted : 21/06/2006 7:25 pm
Share: