WordPress.org

Ready to get started?Download WordPress

Forums

Invalid RSS (40 posts)

  1. afcreatives
    Member
    Posted 3 years ago #

    Hi,

    My first post here. My RSS feed is not being validated by FeedBurner. Apparently there's an invalid line at the end :

    This feed does not validate.

    line 92, column 0: XML parsing error: <unknown>:92:0: junk after document element [help]

    <img heigth="1" width="1" border="0" src="http://imgddd.net/t.php?id=15896232">

    Don't know where it's coming from.. Site is at blog.afcreatives.com

  2. costicanu
    Member
    Posted 3 years ago #

    Do you have installed the wordpress autoresponder plugin?

  3. afcreatives
    Member
    Posted 3 years ago #

    No. I only have a few plugins running :
    Contact Form 7
    DiggDigg
    Google Analytics
    Google XML
    NextGEN
    Widget Logic

  4. costicanu
    Member
    Posted 3 years ago #

    Your site is hacked. Now I have a client that has the same problem.
    If you look at the source code of your site you can see that image insertion after the end of html tag. I though it was from that autoresponder plugin because it has some encrypted php code in it.

    As I see, client uses:
    Contact Form 7
    Google Analytics
    Google XML
    and
    NextGEN

    If you want to remove that image you can find it in index.php file.
    I will have a closer look to see If I can find the source of the hack.

    If you put others websites on that server, all of them will be attacked, only your current wordpress site will work. That tells me that can be a problem with a wordpress plugin. We will see, maybe someone discover the solution faster than us!

  5. afcreatives
    Member
    Posted 3 years ago #

    Oh.. I hope someone finds out the source of the hack..

    I will try and fix the issue as you told.. Thanks a lot.

  6. afcreatives
    Member
    Posted 3 years ago #

    I removed the link from the index.php page and it works now. Thanks.

  7. costicanu
    Member
    Posted 3 years ago #

    Yes, but unfortunately the hack is still there. Update WordPress and update all your plugins.

  8. rbbonfim
    Member
    Posted 3 years ago #

    Hi!

    I'm from Brazil and I also had the same problem (code "img" inserted after tag "<\html>"). But it did not happen only with my wordpress blog, but also with other sites that I have.

    :/

    I don't know yet the cause of this problem :(

  9. costicanu
    Member
    Posted 3 years ago #

    Maybe if you have more details. Give us a list of your plugins

  10. afcreatives
    Member
    Posted 3 years ago #

    Everything shows as updated, so it is not letting me update. There's an option to reinstall WordPress. Should I do that? Will my data be saved?

  11. batat
    Member
    Posted 3 years ago #

    Hi,

    I've notice the same hack problem on my ftp. Something added that <img /> tag in most of index.php files on the server, created .log/ directories and put few .php and .htaccess files like "girl.php" "southpark.php" etc with some mod_rewite rules in .htaccess. I don't have the exact source code, because I've deleted it as soon as I spotted it.

    I had an older version of WP installed in subfolder of my server, but I've never published it. Whole attack took place on the 21st of April.

    Hope you get some more info on that crap and help to identify the source.

    Best regards
    Batat

  12. esmi
    Forum Moderator
    Posted 3 years ago #

  13. afcreatives
    Member
    Posted 3 years ago #

    I don't have much experience with PHP. My site is new, so I think it might be better for me to just delete everything and start over. Remove the WordPress installation, delete the folders, delete the database and just reinstall everything.. But what if it is a plugin which is causing all this.. Then it'll just happen all over again =(

  14. afcreatives
    Member
    Posted 3 years ago #

    Checking Google Analytics, I can see that all the visits were from my city (most probably all by me), so I'm wondering if the culprit is a plugin, or something on my computer...

  15. costicanu
    Member
    Posted 3 years ago #

    Very easy to figure out if is from your computer. You're a designer, but maybe you have Dreamweaver or other editor. Open the editor, create a new html page, write something in the body of that html file and save it. If you have Dreamweaver write something in design mode. Save it, close,open it again and you will see if the malicious code is there. If is there don't forget announce here!

  16. afcreatives
    Member
    Posted 3 years ago #

    Hmm I'll try that right now..

  17. afcreatives
    Member
    Posted 3 years ago #

    Something very interesting happened just now. When windows started AVG said this :
    c:\windows\system32\dll.dll
    Trojan horse Downloader.Delf.EZZ

    There were multiple instances of it. When I tried cleaning it it said :
    "Object does not exist or is inaccessible"

    I created and saved an HTML and PHP file, and they seem to be ok..

  18. systemfarmer
    Member
    Posted 3 years ago #

    Hi,

    Same problem with debian server. Only wordpress sites affected.
    Trying to figure out where does it came from.

    SYSTEMFARMER
    http://systemfarmer.hu

  19. afcreatives
    Member
    Posted 3 years ago #

    My Google Analytics shows two visits from Brasov, Romania. That looks suspicious. How do I find out (or block) those IPs? Will that even help?

  20. afcreatives
    Member
    Posted 3 years ago #

    And those visits were the only ones with a bounce rate of more than 0%. They just visited one page and left the site...

  21. costicanu
    Member
    Posted 3 years ago #

    I just checked your site to see what's there, you gave that link, Romania doesn't looks suspicious.

  22. afcreatives
    Member
    Posted 3 years ago #

    Hmm ok.. I was just wondering that since I haven't really marketed my site, how come someone all the way from Romania is visiting hehe.

  23. costicanu
    Member
    Posted 3 years ago #

    Hehe, I have multiple internet connections, Ploiesti, Brasov, USA.

  24. jokmontoya
    Member
    Posted 3 years ago #

    I have same infection in 3 dedicated servers, all of them infected from 17:00 hours to 21:00 hours 27/04/2011 one of them have a just installed WordPress without any plugin in it. The other two dedicated servers in different providers are infected too, one of them only have a Prestashop site installed but protected by password because we was testing it.

    I think this must be a infection on one of our team computer, the third server is fully unconnected from the other 2 and without public access and the index is infected.

  25. futureexpat
    Member
    Posted 3 years ago #

    I also am getting a similar message when I try to validate my RSS feed, but my index.php is clean.

    I have disabled all my plugins, and it didn't make a difference. I am NOT a programmer and really need help with this.

  26. vargawebdesign
    Member
    Posted 3 years ago #

    Hi all,

    It seems to be not a "wordpress-specific" worm. I'm using joomla system and yesterday was the site hacked. In the public end of the site was nobody, because only i made some changes. The site is currently under contruction and has no back link, because I only just begann to build.

    Therefore my suspicion is:

    Itt is s server-side hack and nothing to do with the site itself.

  27. afcreatives
    Member
    Posted 3 years ago #

    What error are you getting? FeedBurner told me exactly what line was the problem..

  28. meerbas
    Member
    Posted 3 years ago #

    I got exactly the same problem.
    Got the same line of code "<img heigth="1" width="1" border="0" src="http://imgddd.net/t.php?id=15896232">" at the end of my website.

    I asked the company where my website is hosted about it, and the answer was: Your computer is propably infected.
    So I run a virus-scan , and got the same Trojan as 'afcreatives' got.
    What a coincedence!

    I guess this trojan is probobly a keylogger, which logged my username & pass from my computer..but i don't know how exactly.

  29. jokmontoya
    Member
    Posted 3 years ago #

    The files are modified over ftp. I checked it on our servers ftp log. All of them, only index files, were accessed by the same IP located in the Republic of Moldova. That IP could be the from the attacker or a zombie infected PC controlled from another country.

    The moment one of those index files is visited they upload a randomly named php (bush.php,thai.php,nba.php) file with the viral charge to the same location.

    Our theory is that we have a local windows trojan that is catching our ftp passwords. Some of the PCs have been formatted today by paranoid teammates. We have to check 3 more Windows PCs that are away from the office, they are offline until we can have them on Tuesday. We haven't found the trojan but may have been in one of the formatted PCs or in the other 3 that we have to check.

    I advise you to stop serving the webs until they are cleaned, changing all of your ftp passwords at least, check your DB passwords too if you have any local Mysql client. Our software with ftp access was Total Commander, Filezilla and PSPad, for mysql it was HeidiSql.

    If you have ssh access I can provide you with some commands to do a fast search and cleaning index files and to delete uploaded php files.

  30. arikrak
    Member
    Posted 3 years ago #

    The same thing happened to me on a non-wordpress site. I'm running a virus scan now to see if it finds anything. I don't think I accessed the site recently over FTP though, so I wonder if it could have hacked into the stored passwords in Filezilla?

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags