RSS feed spam

BTW, I have no reason to believe the site has been hacked. There’s no spam comments on the site, I’ve locked down all the directories with the correct CHMOD permissions, and I don’t know how these links are only occurring in the RSS feed and not the website.

Could this be a SQL Injection attack? If so, why just the RSS feed? When someone subscribes to the feed using an application like Google Reader, they do not see any spam.

Oh wow, this is more than just RSS feed spam. However, it wasn’t visible to me until I viewed the site logged out.

This also seems to be happening specifically to cached pages using WP Super Cache plugin. All recent pages that are cached are appending a series of links for drugs coming from an old stopdesign.com attack.

They only appear on the HTML versions of these pages, which are the cached pages. Nothing seems to be affected on the dynamic pages.

Here’s a possible explanation of what’s going on.
https://linux.byexamples.com/archives/397/wordpress-exploit-we-been-hit-by-hidden-spam-link-injection/

Even after flushing the cache, every time a new cached page is created, the same links are injected and appended to the cached page. I have checked all my theme files and do not see any screwy code in there.

It looks like there’s some code that was injected into wp-blog-header.php file. It’s in base 64 and is a VERY long code injection. How did this happen?!