WordPress.org

Ready to get started?Download WordPress

Forums

Spam Posts in Google Reader (5 posts)

  1. DanOestreich
    Member
    Posted 4 years ago #

    I'd like to call your attention to this thread: http://groups.google.com/group/google-reader-troubleshoot/browse_thread/thread/39a7eef288c65dd0.

    The thread describes how my own and others' blogs have been successfully hacked. At least four other people in the group and I have WordPress blogs. The effect is that spam posts show up in Google Reader although it does not appear on the person's own site. In the thread, Nick 120 correctly identifies the spam as showing up in a Google cache view (Source view) of my blog.

    Seems like you'd want to know so that a security fix could be created.

    My host support people (Oxxus.net) are removing the hacker's code and have removed some but not all. It appears to them that the attack was to 2.7.1 code. I'm on 2.8 now but the spam is still showing up.

    Thanks, and if you have more information that could help us out of this jam that would be great.

  2. newwebid
    Member
    Posted 4 years ago #

    I have a similar problem and I suspect it was because of the plugin (SI Captcha) I installed. Also, I think you mis-identified the problem: the same spam appears in My Yahoo!

    My issue is this: I installed WP on my ISP, the site works fine. But once I added it as a Google Reader feed, or to My Yahoo!, if I set my RSS feed to "summary only", then the spam appears at the first entry that does not have a "excerpt" field. But the spam is just a block of text. If I set my feed type to "full text", then the spam appears at the first entry as a link.

    The spam text in my case is:
    Buy ativan Without A Prescription Buy ativan Online Buy ativan C.O.D Buy ativan ativan Without Prescription ativan Without A Prescription ativan Side Effects ativan Prescription ativan Pill ativan Overnight ativan Online (and on and on)

    The link is to "imaginaria.com.ar"

    I downloaded and tried a few desktop RSS readers, but the spam didn't show up. If I just type my site's feed URL to a browser, the result is clean too (http://www.wuyibing.com/feed)

    Here is why I suspect that it had something to do with plugin -
    After I removed the SI Captcha plugin, after 15 minutes or so, the Google reader entry was all right. Another 15 min. more, My Yahoo! was OK too.

    Then after I put it back in, again, in 15-30 min. the same spam shows up again in both Google and Yahoo.

    I read the code for the plugin but didn't find a clue. I suspect the plugin calls a server for something and that server is hacked or hijacked.

  3. newwebid
    Member
    Posted 4 years ago #

    Please disregard the above posting. After reading the newer entries in the link Dan included in his first posting, I realized that a fix is already found.

    Search for newer comments from the users "Today I read ... something" and "John Wennerberg".

    In short, here is what you need to do:
    1. Find a database client and use it to connect to your WP database directly. If you do not know how to do this, ask your ISP for help.
    2. Search in the wp_options table and delete rows whose "optiona_name" field looks like: rss_[a long hex number] (some with _ts suffix)
    3. Search in the wp_users table, if you find a suspicious user (e.g. url is http://www.com or email you don't recognize), delete it

    Also, I would not search or try a plugin unless I know for sure it is safe. It looks like plugin is a backdoor for unauthorized content to sneak into the system.

    I would also disallow anyone to register with the site.

    Many thanks to the contributors on the Google Group thread.

  4. rakkar3
    Member
    Posted 4 years ago #

    This has happened twice to me in two weeks, using the latest version of WordPress. When is this going to be fixed?

  5. whooami
    Member
    Posted 4 years ago #

    rakkar3, whats the url to your blog? if youre still seeing the same problem, than more than likely, you didnt plug all the holes.

Topic Closed

This topic has been closed to new replies.

About this Topic