Since we in the TYPO3 security team were contacted quite often lately asking for help because of their website being hacked I wrote a an article explaining the mandatory steps you need to take after something like this happened. But here I want to cover something that annoys me for quite some time.
What annoys me are how some free-riders report about such incidents just to get some clicks for their „sensational“ fairy tales. But there are also blog posts which are written with a good intention, but seem to lead to the wrong conclusions. What stays in peoples mind are the headlines, the catchy cant like „Google Conditional Hack“.
What’s wrong about this? It can be easily be assumed that all hacked websites redirecting to viagra selling sites have been compromised exploiting the always the same vulnerabilities. „Google Conditional Hack“ does sound like ILOVEYOU. But while the the famous Windows worm exploited exactly one vulnerability in the operating system, „Google Conditional Hack“ is just a rough observation of not intended website behavior and tells absolutely nothing about what vulnerability has been exploited on the respective website.
While there were some XSS vulnerabilities on famous platforms like twitter which were exploited to spread autonomously like a worm, when it comes to „normal“ websites it is different. Because the websites differ enormously. Even TYPO3 sites. There are websites running unpatched versions of TYPO3 3.6 but also (hopefully) many running the latest version. And there are over 5000 extensions in TER and a lot more specifically developed for a certain purpose. No TYPO3 website is like the other, also the hosting environments differ.
So people with the goal to search optimize their cialis shop by putting some links on „external“ websites, search for different problems on differentwebsites. If they find something, they put the links there and search for another vulnerable site. Respectively every entry door (we know about) for a TYPO3 website affected by the „Google Conditional Hack“ was different.
When it comes to websites (or TYPO3) it makes sense to give names to certain vulnerabilities (e.g. jumpurl issue). It also makes sense to reportfound vulnerabilities to the security team. But it makes no sense to report viagra links (or base64 encoded php code which creates such links) to us.
We get such links regularly directly from the vendors ;)