There is a strange redirect that occurs when one searches for something on this wordpress site that I am helping to manage: http://mandiberg.com/.
One enters in a search term, click submit and are brought to a page with the URL http://www.mandiberg.com/?s=huei&searchsubmit=Search with an input box for human verification (Please verify that you are human, what is result of: 8 + 1 = ). It does not matter what the answer is, only that you get rid of the "?" that is in the input box, the page redirects you to some site that sells viagara: http://www.usrxdiler.com/.
I am not sure how relevant this is for this process but watching the bottom left corner for what pages are being loaded I am bounced through this 220.127.116.11/ijhfhf.php?mgtdfk=4534&nvhdl=skdje&gokk=ubmit -- some german site.
The search widget was never implemented on this site, however, whenever I go to a page that does not exist (mandiberg.com/oi2), the 404 page comes up and includes a search which also bounces you to the usrxdiler site (this is how this spam was first spotted). After adding a search to the footer on the site and attempting to use it the same thing happens.
I've gone through other documentation of similar 404 errors, but these mainly are just a replacing of the 404 page, not a search being inserted in there. I searched for hidden folders and plugins that I never installed (.k/ and wpppm), but everything is in order. I've searched through the site via ssh and ftp to find any thing that looks like the URLs above, and I've tried disabling all plugins and again searching to see if there was a difference to no avail.
I've also looked in the themes (currently using wpfolio-two with some child themes) to see if there was something put into the 404 file. None of the files in there have been changed since 2007, the only recent changes have been to the twentyeleven, twentytwelve, and twentythirteen themes.
One more useful bit of information was that in early September I had changed the .htaccess file to accommodate for different permalinks using the yoast permalink generator. To my knowledge this spam redirect did not occur before this time. I only learned of it one week ago.
Any information you can provide would be helpful. Thank you.