[TYPO3] weird url injection

[Henning Pingel]

Hi Debora,

I don't understand your probelm completely but I don't think anything is
in danger.

What happens if you call your normal url and add

	?ref=friendly_test

to the end of it (or in case there are already params add

	&ref=friendly_test

). Then hit enter. Does it stay there in the address bar? If yes, check
relative links to other pages of your website in your website menu. Is
the string ?ref=friendly_test appended to the links?

Check Google for links to your website



Debora schrieb:
> Hi all,
> 
> To my horror I noticed that someone has been trying to hack my website (TYPO3 4.0.5,PHP 5.1.6 -> both being upgraded today). My site is multilingual and I always upgrade extensions by default. I also clear all cache at the start of each day manually...
> 
> What's the problem:
> - The urls (both internal and external and inside google!) have this added to it: 
>       ...      "?ref=Fuckonly.com" ...
> - It does not 'do' anything (thank the gods), the pages are being displayed normally but with that annoying reference, but I DO NOT want to be affiliated with a p*rn site whatsoever!!!
> 
> The temporary "solution" ??
> - I have no idea ... but I have cleared all cache and temp directories and it 'seems' to be gone for now. Luckily the only DB tables 'affected' are the statistics modules, which have logged everything of course... 
> 
> I have looked into the statistics and it seems to have happened for the first time around 16/17 march 2007. Always from different IP addresses. But what strikes me, is that the most affected language is Chinese(Simpl.) and just one or two URL's in Spanish/English... It seems to be a PHP problem, but I really don't now IF it's TYPO3 or PHP or both...
> 
> So what I would like to know, has this been a hack attempt ? Or a script kiddie? Or a spambot of some sort ?? Cause I have no idea...
> 
> Does anyone know how to prevent this from happening again ? 
> 
> Thanks!
> 
> Best regards,
> 
> Debbie