Hackers Seizing Control of RSS Feeds: Beware

Jun 24, 2009 • 9:10 am | comments (3) by twitter Google+ | Filed Under Search & Web SEO Spam
 

A Google Reader Help thread reports an increase in the number of RSS feeds being hacked into and used to redirect subscribers to spammer sites.

Googler, Roger, from the Google Reader team said:

Thanks for reporting this problem. Unfortunately, we've seen similar problems with WordPress feeds being compromised in the past. We'll look into it further, but in the meantime, I encourage you all to alert WordPress to this issue via their support forums.

Roger seems to believe there is a loophole somewhere in WordPress allowing this.

Clearly, this is not only upsetting to the publishers and their subscribers, but also to search spam. Many RSS feeds are scraped and used to inject content into Google. Spammed feeds that are scraped are can be even more of an issue for search quality.

Forum discussion at Google Reader Help.

Previous story: Keeping Track Of Links, With Link Building Tools & Spreadsheets
 

Comments:

Ann-Kat (Today, I Read...)

06/26/2009 05:47 pm

This problem just happened to me not too long ago. It was one of my awesome readers who alerted me. However, when I checked the feed using only my browser it showed up normal, but when I checked via Google Reader only then was I able to see the hacked feed. So people should be advised that it may show up normal, but they should check it through a service to be sure.

Ann-Kat (Today, I Read...)

06/26/2009 08:00 pm

Just wanted to post a follow-up as I've officially tracked down some details about the problem (I'll also post to the Google page to let others know too). To find out if you're affected, WP users should check their wp-content/plugins/ folders for any plugin files that begin with a period (i.e. .akismet.bak.php, etc.) and <strong>immediately delete them</strong>. It's important to check every plugin/plugin folder for these files as I found two on the same site lurking in different plugin folders. Next, check the wp_options table for something like rss_f541b... and check for a string of code that looks like <code>';))"==QfK0wOpcyMyEzboNW...(edoced_46esab(lave'</code> (the ... just signifies a bunch of additional gibberish characters) and immediately delete that chunk and update the table. Once all this is done, it's super important to change your DB user/password along with your WP login details just to be on the safe side. I just finished decrypting the entire file/DB code (which is just PHP code hiding in the DB) and it's nasty.

keith

07/17/2009 01:27 am

The above worked great but even after I changed the db un/pw and wordpress un/pw it showed up again. I can't seem to find any odd files so the only thing I can think of is to backup my posts, delete everything, and start over.

blog comments powered by Disqus