TYPO3 Core

Some time ago we had a strange attack to our typo3 web pages - in
some pages the links to subpages were modified. The address of some
unknown (spammer) web page was appended to the urls. E.g.

http://www.interlogic.se/index.php?id=3

became

http://www.interlogic.se/index.php?id=3&L=http%3A%2F%2Fwww.unduetretoccaate.it%2Fcodice%2Faseje%2Fwocobo%2F

We decided to upgrade Typo3 to 4.1.6 and that cured the problem for some
time. Now it seems these attacks are back. For instance, check the URL
above. Any idea what causes this? We can provide logs if necessary.

The following extensions are installed (loaded and running) on the site:
Versioning Management version 1.1.0
htmlArea RTE rtehtmlarea 1.5.5
xp-blue skin for htmlArea RTE sr_rtehtmlarea_xpblue 0.1.6
Frontend change password fechangepassword 1.0.2
New front end login box newloginbox 2.2.9
TYPO3 skin t3skin 0.1.0

We're using php 4.4.4
(issue imported from #M8579)