: Server log what does "ho=" mean? I have got a Joomla site that got hacked and I am looking at the server logs and I see something like: GET /bind.php ho=mx01.1and1.es&po=25&ma=cristina%40bpmlighting.com&lo=
I have got a Joomla site that got hacked and I am looking at the server logs and I see something like:
GET /bind.php
ho=mx01.1and1.es&po=25&ma=cristina%40bpmlighting.com&lo=cristina&pa=cristbpm2013&mt=johnkarpan%40yahoo.com&fn=Dr.+Sue+Metts&or=docswgacm&eh=bpmlighting.com&sd=95.141.32.169%2Fstat1&sh=&sp=&sl=&sc=&rt=5&ch=utf-8&cm=1&ht=1&at=&su=%E1%BD%92%E1%BF%97%E1%BE%8C%C4%9E%E2%84%9C%E1%BE%8C+%D0%85%E1%BE%8C%E2%86%B3%C4%98&bo=%3Ca+href%3D%22http%3A%2F%2Fpaowcx.coolebrity.com%2Fod5ba77.html%22%3E%E1%B9%BE%E1%B8%AE%E1%BE%B7%C4%9D%C9%BC%E1%BE%B7+%C5%A1%E1%BE%B7%E2%8C%8A%E1%BC%9C%3C%2Fa%3E
80 - 95.141.32.169 HTTP/1.0 - - - mywebsite.com 500 0 64 0 544 308
I guess that is a hit on bind.php - I am not sure what the "ho=" stands for. Can anyone clarify?
More posts by @Gretchen104
2 Comments
Sorted by latest first Latest Oldest Best
I'm assuming that the bind.php file is not actually a part of Joomla, but rather a malicious script that the hacker uploaded to your site. In particular, just looking at the request parameters, it appears likely that the script is being used to send e-mail spam, possibly using someone else's hijacked e-mail account.
Here's what the request parameters in your log entry look like, after percent-decoding:
ho=mx01.1and1.es, po=25
The names ho and po are probably short for "host" and "port"; mx01.1and1.es appears to be the hostname of a mail server in Germany, belonging to a Spanish ISP, and 25 is the standard port for SMTP. So the spammer is telling the script to connect to this mail server over SMTP to send the e-mail.
ma=cristina@bpmlighting.com
This is clearly an e-mail address; I'm guessing it's the address that the spam is to be sent from.
lo=cristina, pa=cristbpm2013
These look like a username ("login") and a (quite easily guessable) password. I haven't tried connecting to the mail server indicated above using this username and password, but I wouldn't be surprised if they worked. Someone should probably tell whoever owns this account that their password has been compromised and is being used by spammers.
(Update: I contacted the company's webmaster via their online contact form and reported this issue to them, before realizing that the original question was actually posted a year ago, and that the issue has presumably long since been resolved. Anyway, better to be safe than sorry, I guess...)
mt=johnkarpan@yahoo.com
I'm guessing this is the address that the spam is to be sent to; mt probably stands for "mail to".
fn=Dr.+Sue+Metts
This is likely the "full name" to be shown as the name of the sender of the message.
or=docswgacm, eh=bpmlighting.com, sd=95.141.32.169/stat1
I'm not 100% sure what these are, but I suspect they're (bogus) original information to be provided to the mail server. The parameter eh may be short for EHLO ("extended hello"), an SMTP command that takes the sender's (claimed) mail server name as a parameter. (The server will record this information in the message's headers.) The IP address in the sd parameter appears to be that of a server in Italy; I haven't tried connecting to it.
sh=, sp=, sl=, sc=
I've no idea what these parameters are, but apparently they're optional.
rt=5
This might be the number of times to retry sending the message, before giving up.
ch=utf-8
This clearly indicates the character set (UTF-8) of the message to be sent.
cm=1, ht=1, at=
Again, I have no idea what these parameters might be.
su=ὒῗᾌĞℜᾌ+Ѕᾌ↳Ę, bo=<a+href="http://paowcx.coolebrity.com/od5ba77.html">ṾḮᾷĝɼᾷ+šᾷ⌊Ἔ</a>
These are obviously the subject and body of the spam e-mail to be sent. The weird-looking Unicode text is barely recognizable as spelling out "VIAGRA SALE"; the random accents and obscure look-alike characters are meant to fool spam filters, which might otherwise trigger on words like "Viagra".
You will want to remove this script from your servers ASAP, thoroughly disinfect and reinstall your entire Joomla installation and anything else you may have running on the same server, and change all your passwords and other access credentials. If you used any of the same passwords elsewhere, make sure to change those too and assume that those other accounts have also been compromised until proven otherwise.
Ps. Googling for "joomla bind.php" turned up this forum post, which seems to confirm my guesses above. This is definitely a spam relay script.
I believe that's the Request URI, or the page that was loaded from your server. It gave a 500 error (which means nothing was executed), but it looks like an attempted hack of some kind. Give me a few minutes, and I'll URL decode the string and see what they were trying to do and tell you if you really need to worry or not.
UPDATE: I'm not entirely sure what they were trying t do, but it looks like they were looking for general vulnerabilities. I'd recommend that you:
immediately check that particular file for any lines like eval(base64_decode(Long string of seemingly-random text));. This is usually a PHP shell, and gives anybody full access to your server. They can be clever about hiding it, so do a search in your program for the phrase eval( and let the program find it for you.
Make sure you have no SQL injection vulnerabilities. Make sure you've sanitized your inputs.
Make sure that any files you load where the name is specified with a PHP GET variable will not load external files. Also make sure it doesn't accept values containing ../ or anything starting with / as a value because this will allow a malicious person to run any file on your server.
Note that even if your server is secure, people will still look for vulnerabilities. If you're confident in your server's security, don't worry about it.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.