Unwelcome WP 2.5.1 search box spam hack (9 posts)

  1. GrantBarrett
    Posted 8 years ago #

    I am running WordPress 2.5.1 and have had the following take place over the last 24 hours: people are able to search for certain strings containing code in the form of entities and "img+onerror" and are able to redirect the WP search results to outside sites.

    This is a web server log that includes the relevant lines of activity:


    You can see a sample of such redirects, now indexed by Google, here:


    This is an example of the rendered search page that is returned:


    I have done my best to lock down the blog but this is beyond my ken. I am currently looking for a way to disable searching for encoded entities in the search field, since it looks as though the search results page is interpreting them, which allows the hack to work. Also, it would be best if the "img+onerror" could not be passed this way.

  2. GrantBarrett
    Posted 8 years ago #

    PS: I have for the moment blocked the hack at the URL query level with this htaccess code, but it only superficially solves the problem.

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_string} onerror
    RewriteRule .* - [F]
  3. GrantBarrett
    Posted 8 years ago #

    PPS: I also added this line to my robots.txt file, which will stop Google from indexing the spam URLs.

    Disallow: *onerror*

  4. iridiax
    Posted 8 years ago #

    Have you looked in your web site directories for suspicious files and looked in your WordPress and template files (functions.php, search,php, etc.) and .htaccess for anything suspicious? You should also notify your web host that you have been hacked.

    Lots of other websites have fallen prey to this search hack involving the site freeanp dot com. Do NOT visit these search results because they will attempt to install malware.

  5. GrantBarrett
    Posted 8 years ago #

    Yes, I have looked high and low for anything suspicious. So far, I've come up with naught. Still looking, though.

  6. GrantBarrett
    Posted 8 years ago #

    I'd like to confirm that after a thorough comparison of my directories to a previous download, and after a line-by-line inspection of core files, that this hack was done without changing a file on my drive, without inserting a new file, and without special access.

    As I wrote above, I believe this is simply a failure of WP to sanitize search input and output.

    Aside from the ideas I gave above, this hack can also be nullified by removing all instances of <?php echo $s; ?> from your search results page (which should be "search.php" in your "themes" folder in wp-content).

    In my search.php I had the php echo of the search term in three places: in the sidebar.php file that is called for inclusion by search.php, where it would auto-fill the search field there with the search term the user had just searched for; at the top of the page (but not in between the <title> tags) as a headline for the page, and right above the search results listing.

  7. iridiax
    Posted 8 years ago #

    Some of these hacks (especially the .htaccess ones) use whitespace to hide the hack, so the hacked code is pushed far off the right edge of the screen and the only indication of its presence is the horizontal scroll bar and the recent modification date of the hacked file.

    Have you looked in your database for anything amiss like new users?

  8. Donncha O Caoimh
    Posted 8 years ago #

    Your theme is at fault here. Instead of printing $s directly, your theme should sanitize it:
    <?php echo wp_specialchars($s, 1); ?>
    <?php echo attribute_escape($s); ?>

  9. GrantBarrett
    Posted 8 years ago #

    Thanks, Donncha. That's exactly what was needed.

    Iridiax, when I examined the files I used BBEdit and turned on "Show Invisibles" which displays grey symbols for spaces, tabs, and the like.

Topic Closed

This topic has been closed to new replies.

About this Topic