Hi, On 4/5/07, Bernd Wilke <[EMAIL PROTECTED]> wrote: > > > -- > www.bernd-wilke.net > "Debora" <[EMAIL PROTECTED]> schrieb im Newsbeitrag > news:[EMAIL PROTECTED] > > Hi all, > > > > To my horror I noticed that someone has been trying to hack my website > (TYPO3 4.0.5,PHP 5.1.6 -> both being upgraded today). My site is > multilingual and I always upgrade extensions by default. I also clear all > cache at the start of each day manually... > > > > What's the problem: > > - The urls (both internal and external and inside google!) have this added > to it: > > ... "?ref=Fuckonly.com" ... > > - It does not 'do' anything (thank the gods), the pages are being > displayed normally but with that annoying reference, but I DO NOT want to be > affiliated with a p*rn site whatsoever!!! > > > > The temporary "solution" ?? > > - I have no idea ... but I have cleared all cache and temp directories and > it 'seems' to be gone for now. Luckily the only DB tables 'affected' are the > statistics modules, which have logged everything of course... > > you only can clear FE-Cache > > > I have looked into the statistics and it seems to have happened for the > first time around 16/17 march 2007. Always from different IP addresses. But > what strikes me, is that the most affected language is Chinese(Simpl.) and > just one or two URL's in Spanish/English... It seems to be a PHP problem, > but I really don't now IF it's TYPO3 or PHP or both... > > it is a cache-problem, so every page and its parameter are cached, as far as > the cache is rebuild once a day, the first call to your pages may store > these strange paramters to the links from that page. (especially if those > paramters are defined in "config.linkVars") > > > So what I would like to know, has this been a hack attempt ? Or a script > kiddie? Or a spambot of some sort ?? Cause I have no idea... > > I think it might be a try to hijack your site for Cross-site scripting or > SQL-injection (see wikipedia) > > > Does anyone know how to prevent this from happening again ? > > I like to know too
Bernd (and Debora): if it's true that this is only TYPO3 caching the first hit of the day, I would guess that this is an attempt at log-spamming [1] that has exposed a weakness in TYPO3...but that raises the question 'what can be done about it?' (aside from never, never clearing the cache...) -- Christopher Torgalson http://www.typo3apprentice.com/ [1] http://www.google.com/search?q=log+spamming _______________________________________________ TYPO3-english mailing list TYPO3-english@lists.netfielders.de http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english