Unwelcome WP 2.5.1 search box spam hack

PS: I have for the moment blocked the hack at the URL query level with this htaccess code, but it only superficially solves the problem.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_string} onerror
RewriteRule .* - [F]
</IfModule>

PPS: I also added this line to my robots.txt file, which will stop Google from indexing the spam URLs.

Disallow: *onerror*

Have you looked in your web site directories for suspicious files and looked in your WordPress and template files (functions.php, search,php, etc.) and .htaccess for anything suspicious? You should also notify your web host that you have been hacked.

Lots of other websites have fallen prey to this search hack involving the site freeanp dot com. Do NOT visit these search results because they will attempt to install malware.

Yes, I have looked high and low for anything suspicious. So far, I’ve come up with naught. Still looking, though.

I’d like to confirm that after a thorough comparison of my directories to a previous download, and after a line-by-line inspection of core files, that this hack was done without changing a file on my drive, without inserting a new file, and without special access.

As I wrote above, I believe this is simply a failure of WP to sanitize search input and output.

Aside from the ideas I gave above, this hack can also be nullified by removing all instances of <?php echo $s; ?> from your search results page (which should be “search.php” in your “themes” folder in wp-content).

In my search.php I had the php echo of the search term in three places: in the sidebar.php file that is called for inclusion by search.php, where it would auto-fill the search field there with the search term the user had just searched for; at the top of the page (but not in between the <title> tags) as a headline for the page, and right above the search results listing.

Some of these hacks (especially the .htaccess ones) use whitespace to hide the hack, so the hacked code is pushed far off the right edge of the screen and the only indication of its presence is the horizontal scroll bar and the recent modification date of the hacked file.

Have you looked in your database for anything amiss like new users?

Your theme is at fault here. Instead of printing $s directly, your theme should sanitize it:
<?php echo wp_specialchars($s, 1); ?>
or
<?php echo attribute_escape($s); ?>

Thanks, Donncha. That’s exactly what was needed.

Iridiax, when I examined the files I used BBEdit and turned on “Show Invisibles” which displays grey symbols for spaces, tabs, and the like.