Blog hacked? UPDATED

This blog appears to have been hacked somehow.

This is my old blog and apart from a test posting the other day, I hadn’t added any new posts since May 2009.

Blog posts

However, when you view this blog’s feed in Google Reader it appears to be full of spammy posts.

Spammy posts in Google Reader

The spammy posts don’t show up when viewing the blog’s feed in Firefox (or Safari) RSS readers – it seems to be confined to Google Reader somehow.

Feed seen in Firefox

I also checked the backend mysql database and the spammy posts are not there so I’m not sure where they are coming from.

I was using the FeedBurner Feedsmith plugin for handling this blog’s feeds but I deactivated that over the weekend when I first became aware of this issue. I thought perhaps the FeedBurner feed may have been hacked so that if I turned it off, any cached spam posts would be cleared out after a day or so, however it seems to not only have persisted but more posts have been added.

Anyone any idea how this is happening and what I can do to stop it?


With help from Ewan – I discovered that (after looking around at a lot of other files) the wp-config.php file had been edited. The following line had been added


To be safe, I FTP’d in to the server, deleted the wp-config.php file and uploaded a clean one.

The site is now back to working as expected, apologies to anyone who was exposed to the spammy links.

I’ll now go back over the site again with the proverbial fine-toothed comb to see if I can find any other suspicious changes that were made to it.

9 thoughts on “Blog hacked? UPDATED”

  1. It looks like you’ve properly been hacked, some kind of SQL injection possibly, or looking at some of your source code, maybe it’s the theme – there’s definitely a couple of oddities in the theme itself.

    It looks like you’re already running WP 3.0.1, so there obvious answers are (on order of likelihood):

    Someone’s got your admin password via brute-force
    Someone’s got a backdoor via a theme or plugin you’re using
    Someone’s got a 0-day exploit for wordpress

    Realistically, I think someone with technical knowledge of wordpress security is going to need to login to your server and take a look.

    1. Thanks Ewan,

      One of the reasons I’m confused though is that I don’t see the spam in the mysql db, nor are they in the posts listing in the WP backend.

      They don’t show up when the feed is viewed in most feed readers except Google Reader.

      I’ll try going to the default theme to see if that helps.

  2. Just to confirm it, I’ve looked at in Firefox with the default user-agent, then again with the user-agent set to

    FeedFetcher-Google; (+

    Which is the google reader agent. When you view it with the feedfetcher ua, then the spammy posts appear

  3. This is how it’s done, any requests using the feedfetcher UA are given a 301 redirec to which in turn redirects to a very spammy feedburner feed. Because feedburner caches your old stuff, it looks like the new things are being injected in place.

    So it’s almost certainly a theme or module hack

    wget –user-agent=”FeedFetcher-Google; (+”
    –2010-11-23 09:41:03–
    Connecting to||:80… connected.
    HTTP request sent, awaiting response… 301 Moved Permanently
    Location: [following]
    –2010-11-23 09:41:03–
    Connecting to||:80… connected.
    HTTP request sent, awaiting response… 301 Moved Permanently
    Location: [following]
    –2010-11-23 09:41:04–
    Connecting to||:80… connected.
    HTTP request sent, awaiting response… 200 OK
    Length: unspecified [text/xml]
    Saving to: `ShadowCrushNews’


  4. As well as changing the theme, I’ve now also changed the Admin password for the blog.

    Ewan – that sounds bizarre to me that just changing the user agent, changes the displayed content, no?

  5. Only working for specific user-agents is typical masking, makes it less obvious for you to spot as the site owner – if you didn’t subscribe to your own blog in google reader, would you of noticed until someone pointed it out to you?

    It’s still occuring now with the default theme, so I think it’s either a module or has been inserted into the wordpress code itself (or at the server level, which is much less likely but harder to fix)

  6. Have you disabled all the modules too?

    Poking around, it suggests that the hack might be at the apache layer, can you see when your httpd.conf was last modified?

  7. I’ve disabled all the modules now except Akismet.

    Honestly I’m not sure how to access the httpd.conf file – I did have a look at the .htaccess and I pulled a couple of lines from that though I’m not sure they were responsible.

Comments are closed.