WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] RSS feed spam (5 posts)

  1. micasuh
    Member
    Posted 4 years ago #

    This is so strange. I have a custom RSS feed that I'm using for feedburner. When I do a Feed Validator check, I'm coming up with a ton of spam at the end of the feed after the closing rss tag. All of this spam is coming from stopdesign.com, however, the author has already removed all of this spam from his site.

    Take a look at the validated feed link. Sometimes, you won't see the spam at the end. At other times, you will.

  2. micasuh
    Member
    Posted 4 years ago #

    BTW, I have no reason to believe the site has been hacked. There's no spam comments on the site, I've locked down all the directories with the correct CHMOD permissions, and I don't know how these links are only occurring in the RSS feed and not the website.

    Could this be a SQL Injection attack? If so, why just the RSS feed? When someone subscribes to the feed using an application like Google Reader, they do not see any spam.

  3. micasuh
    Member
    Posted 4 years ago #

    Oh wow, this is more than just RSS feed spam. However, it wasn't visible to me until I viewed the site logged out.

    This also seems to be happening specifically to cached pages using WP Super Cache plugin. All recent pages that are cached are appending a series of links for drugs coming from an old stopdesign.com attack.

    They only appear on the HTML versions of these pages, which are the cached pages. Nothing seems to be affected on the dynamic pages.

  4. micasuh
    Member
    Posted 4 years ago #

    Here's a possible explanation of what's going on.
    http://linux.byexamples.com/archives/397/wordpress-exploit-we-been-hit-by-hidden-spam-link-injection/

    Even after flushing the cache, every time a new cached page is created, the same links are injected and appended to the cached page. I have checked all my theme files and do not see any screwy code in there.

  5. micasuh
    Member
    Posted 4 years ago #

    It looks like there's some code that was injected into wp-blog-header.php file. It's in base 64 and is a VERY long code injection. How did this happen?!

Topic Closed

This topic has been closed to new replies.

About this Topic