SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Evangelist jonbey's Avatar
    Join Date
    May 2007
    Posts
    507
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    WP Firewall - Offending Parameter: metdatacookie - what is it?

    In the last 24 hours my Wordpress Firewall has picked up hundreds of alerts that start like this:

    Offending Parameter: metdatacookie = 1920!927

    The number is often different, but in that format. What follows in a long string of characters etc. Sometimes there is a Google search in it, immediately after my URL, e.g.

    Offending IP: 24.255.169.197 [ Get IP location ] Offending Parameter: metdatacookie = 1440!698!http://www.mydomain.com/jack-lee-wor.../search?q=jack lee workout&sourceid=ie7&rls=com.microsoft:en-us:IE-SearchBox&ie=&oe=&rlz=1I7ADFA_en!3:0t172W01D1LD3S91300yDD3e91010xCD3e91000xMD3e3J03901UKH4G313F14MP4I111L1AuP4J230Q1D13P4M71101DiP4M91101CGP4M71001CSP4M71400CDP4M151105HCD3S370g05x1hD3S150105yDD3S170g06Z2eD3S270L06u1xD3S250L07BXD3S270L07W2TD3S250L07rND3S270L0872bD3S67000872sD3S358P115gP4l315512BH4n3156C3DA4q3162C1BA4s3123E1BA4u9110F0PA4u9113F1BA4s9301331kL4pc100F0oA4s0100F0DA4s-A4s,B1P:1C,BER:3a,cBH_

    I am a little concerned.....

    I installed a new WP theme the other day. Could there be a connection? I have run WP Security scan and it all looked OK, some alerts in the theme but I think only because of includes etc.

    I would like to whitelist this if I can as I am losing business if this is OK - hundreds of people each day are being sent to an error page by the Firewall.

  2. #2
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    After looking into it I found out that rlz is set by Google Chrome.
    http://en.wikipedia.org/wiki/Google_...Usage_tracking
    http://code.google.com/p/rlz/
    In your case - that is not valid rlz parameter (because it MUST be 20 characters).
    Why that happens and if you should block/whitelist these connections - frankly I don't know.
    Maybe - some privacy tool regenerates this value, so that user becomes untraceable to google... Maybe - it is some form of attack on something (say google analytics)
    Maybe - none of the above.

    Somebody who knows better should clarify this

  3. #3
    SitePoint Evangelist jonbey's Avatar
    Join Date
    May 2007
    Posts
    507
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Interesting, thanks. I am starting to think it is innocent, although still do not really understand it.

    I have searched Google for parts (parameters) and many do come up in search strings. Also saw Google toolbar mentioned, and some of the alerts mention Firefox, some IE. So maybe there is a problem at the moment with Google toolbar and the Wordpress Firewall. But I am guess.

    We need an expert.

  4. #4
    SitePoint Evangelist jonbey's Avatar
    Join Date
    May 2007
    Posts
    507
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    it may also have something to do with this:

    http://oreilly.com/pub/h/1090

    probably bots copying content.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •