A friend whose blog is hosted on my server (I'm sorry, I apologize, I can't give you the URL) reported me of a problem, however, for the life of me, I can't find from where the problem may come. He, as for him, states he didn't install fishy stuff, and since I am rather uptight on server security, I'd like to believe him.
The problem is with the Wp-PageNavi.
The "next page" / "previous page" URL links do start with the blog's URL/page/page_number...
they have SUPER DUPER CRAZY ITALIAN WALL OF TEXT added after them, and for the life of me, I can't figure out where it may come from ?!?
Four log entries with that stuff (the last line has the clearer text, with stuff like %20 converted into proper space characters) : http://pastebin.com/m2A8HaxG
I decided I'd fix it in five minutes and then parade as The Big Guy, but sadly, I failed at finding where it may come from.
The database didn't contain any mention of the words present in that long string of text, even fishy stuff like \xb7 that you'd rather expect from a code line than a straight text line.
The blog's internal files, themes, core, plugins, didn't contain any mention either.
Paranoid as I am, I searched for various eval, decode, and the like, but, nothing fishy, no backdoor or anything waving a little "hi" at me.
It only shows when one is not logged as admin. Thus, I suspected Wp-SuperCache, but deactivating right after emptying the code didn't change anything.
Lots of searching later, I found that that stayed as a permanent parameter in the blog's URL (www.website_adress.com/?s=This%20is%20called%20%2Aeffetto%20serra%2A%20muahuahauhhRispondi%20%B7%... ... ...) unless I re-typed the adress cleanly without the ?s= string - and then everything worked again correctly O_o
So, there are two problems, the apparition of this italian wall of text inside a search query, and also the fact that the search query doesn't disappear from the URL when we navigate through the blog's pages.
I'm absolutely puzzled and unable to find a fix.
Searching server logs didn't return anything useful in the error_log blog's file, but I haven't searched yet the access_log. Imagine, a grep "muahuahauhhRispond" access_log_file_name_for_that_blog > output.log returned a 1.5 GB text archive. That file is being currently recompressed to bzip2 before I download it and browse it.
Please, would someone have an idea about it ?
My pride is hurt, and I see an interesting challenge !
Thank you VERY MUCH if someone can help, throw ideas, pointers, everything is welcome :)