Sorry the title is vague but I really don’t understand what’s going on. I’ve been getting hits on my site that look like genuine URLs but have an extra CGI parameter, unknown to my system, that when present causes a completely incorrect page to be delivered, full of references to Viagra and Cialis. The extra parameter is ignored by my code and there’s nothing on my site that can generate the extra content. I replaced all my PHP files but it makes no difference. A typical such request is
The critical extra parameter is &qw=nn where nn is some number. When I make the same request from my browser, sometimes I get a 503 error, but when I take off the extra parameter my page loads normally. This suggests some other server is actually delivering the hacked pages.
I can’t see how to diagnose this because the $_REQUEST I receive (if I get one at all) bears little resemblance to the request typed into the browser. It seems the &qw parameter is being intercepted somewhere and passed to a malware server somewhere, then a random request is made to my site and the results of the two merged before delivery. The oddest thing is the injected text is ABOUT the drugs concerned but there are no links that take the reader to a site selling the stuff.
I tried changing the qw to something else - at random - but I get normal page loads every time, which I’d expect as the parameters are ignored. So what’s so special about qw?