Macrotone Blogs

Macrotone blogs upon Joomla, our products and other matters.

Web access URL’s containing ‘RK=0/RS=’ string

We have noticed over the past few months an increase in the number of web access upon various URL addresses upon our site with a string starting ‘/RK=0/RS=’, followed by strings of other characters.  To us they are obviously some attempt to get access to information but we were a little puzzled as to how they might possibly work. The URL’s they are attached to are varied but seem to be upon a lot of Blog addresses. The RS= looks like it could be a regular expression for a pattern match of sorts, since some(but not all) are sometimes followed by a caret ^ but that is speculative.

They look to be a form of  SSI injection with the header, with the attempt to try and pass tokens into the URL for some purpose..

Apparently we are not alone and there is much discussion upon the web as to exactly what it is trying to achieve and who might be behind it, but no clear answer is currently known.

One way to remove them might be a simple .htaccess rule similar to the following:

RewriteRule ^(.*)RK=0/RS= /$1 [L,NC,R=301]

An alternative would be to block the IP addresses from which they are coming, but if they are not ‘hard addresses’ in the sense that they are not reusable,  then the risk is that you may end up blocking legitimate traffic.

Recent Comments
Guest — Gadgets
I believe the culprit may be scripts, bots or people 'scraping' the search results of Yahoo, and then attempting to access the url... Read More
Tuesday, 06 May 2014 17:44
Geoffrey Chapman
You could well be correct, just not quite what they are trying to achieve/access. We currently see up to 100 attempts with these ... Read More
Wednesday, 07 May 2014 08:57
Guest — chatterb0x
The first comment is correct. bots scraping yahoo search results.
Wednesday, 31 December 2014 06:43
  2972 Hits

sh404SEF housekeeping and€“ shURLS

9539.png We turn our attention today to the question of shURLs. To quote Anythingdigital “shURLs — formerly called pageID — are tiny URLs automatically created by sh404SEF®. Their short length make them ideal for use in social networking sites or on print media such as business cards or promotional items.”

They seem to come preconfigured to be generated (at least we have no recollection of turning their generation on) by sh404SEF for certain Joomla components and we have observed the large number of ‘automatically’ created short URLS on our modest site.  We ourselves do not tend to use them, but what is interesting is the contents of these ‘short URLs’.  The vast majority were for subjects that have no relevance for our site what so ever and typically for subjects that would fall under the category of ‘SPAM’. They (most of the invalid/unrequired/unrelated ones) seem to be trying to ‘redirect’ or send email to external locations.

Continue reading
  2429 Hits

Joomla - Breadcrumb links

b2ap3 icon joomlaWe recently noticed a peculiarity on our site with some breadcrumb links containing certain entries which when clicked displayed a page in ‘Joomla Blog’ format containing articles which generally would not be seen, except under specific circumstances.  Nothing security related in our situation but potentially could be.  These pages were certainly not explicitly created on our site and were obviously generated ‘on the fly’.

Using the standard Joomla breadcrumbs generation there is nothing specific that one can configure/change to resolve this type of problem so it was down to some possibly lengthy investigation as to the cause(s).

To resolve the problem we discovered that the URL being used was from a SEF plugin/component (in our case SH404SEF) which contained several aliases and it was necessary to remove the specific URL (plus aliases).  Then once we had done this and  purged the page cache, the page and its breadcrumb links displayed as correctly as expected without the additional link that had been present before.

[Note: If there are several aliases for a speciifc SH404SEF URL then one might possibly be able to choose one of the alternative aliases which no not show the 'additional unrequired' breadcrumb link, but this is not necessarily the general situation and may involve some trial and error.]

Before reaching this point we did wonder about how the link to the page from an article had been created, having previously been selected from the article, so we changed it to be via the menu link.  This is not really required, but the observation is that a name(s) of the 'additional/unwanted' breadcrumb link(s) related to the category to which the article was attributed and it does make the site a little cleaner perhaps. 

On a large site with many pages such a situation may be difficult to discover and there may be many such situations, but we are unaware of any current method to discover these other than careful page inspection.  It was bad enough on our modest site, let alone a really large site.

  2557 Hits
Go To Top

The Macrotone Consulting Web site would like to use cookies to store information on your computer, to improve our website. Cookies used for the essential operation of the site have already been set. To find out more about the cookies we use and how to delete them, see our Privacy Policy.

I accept cookies from this site.