Keeping Track Of Links, With Link Building Tools & Spreadsheets | Main | Daily Search Forum Recap: June 24, 2009

June 24, 2009

Hackers Seizing Control of RSS Feeds: Beware

A Google Reader Help thread reports an increase in the number of RSS feeds being hacked into and used to redirect subscribers to spammer sites.

Googler, Roger, from the Google Reader team said:

Thanks for reporting this problem. Unfortunately, we've seen similar problems with WordPress feeds being compromised in the past. We'll look into it further, but in the meantime, I encourage you all to alert WordPress to this issue via their support forums.

Roger seems to believe there is a loophole somewhere in WordPress allowing this.

Clearly, this is not only upsetting to the publishers and their subscribers, but also to search spam. Many RSS feeds are scraped and used to inject content into Google. Spammed feeds that are scraped are can be even more of an issue for search quality.

Forum discussion at Google Reader Help.



Like The Story? Vote For It On Yahoo Buzz! Or On Sphinn!

posted rustybrick in Spam at June 24, 2009 9:10 AM Comments (3)

Sphinn sphinn-favicon.pngTweet This! Twitter-16x16.pngDigg digg-favicon.jpgDelicious delicious-favicon.pngStumbleUpon delicious-favicon.pngGoogle Co-op google-favicon-16.png Cartoon Barry Says Socialize

Comments

This problem just happened to me not too long ago. It was one of my awesome readers who alerted me. However, when I checked the feed using only my browser it showed up normal, but when I checked via Google Reader only then was I able to see the hacked feed. So people should be advised that it may show up normal, but they should check it through a service to be sure.

 

Posted by Ann-Kat (Today, I Read...) at June 26, 2009 13:47

Just wanted to post a follow-up as I've officially tracked down some details about the problem (I'll also post to the Google page to let others know too).

To find out if you're affected, WP users should check their wp-content/plugins/ folders for any plugin files that begin with a period (i.e. .akismet.bak.php, etc.) and immediately delete them. It's important to check every plugin/plugin folder for these files as I found two on the same site lurking in different plugin folders.

Next, check the wp_options table for something like rss_f541b... and check for a string of code that looks like ';))"==QfK0wOpcyMyEzboNW...(edoced_46esab(lave' (the ... just signifies a bunch of additional gibberish characters) and immediately delete that chunk and update the table.

Once all this is done, it's super important to change your DB user/password along with your WP login details just to be on the safe side.

I just finished decrypting the entire file/DB code (which is just PHP code hiding in the DB) and it's nasty.

 

Posted by Ann-Kat (Today, I Read...) at June 26, 2009 16:00

The above worked great but even after I changed the db un/pw and wordpress un/pw it showed up again. I can't seem to find any odd files so the only thing I can think of is to backup my posts, delete everything, and start over.

 

Posted by keith at July 16, 2009 21:27

Post a comment (Note: Can Take 120 Seconds For Your Comment To Show Up)

Do you want us to save your personal Information?

Premium Sponsors + advertise

To subscribe to the Search Engine Roundtable, click here