RSS Feed Broken- Found Fault but need help

That isn’t in any core WordPress files, so it’s probably being inserted by either a plugin or your theme. Since you’ve already tried deactivating all of your plugins, try switching to the Default theme (WordPress 2.9) or the Twenty Ten theme (WordPress 3.0) to rule-out a theme-specific issue.

this is a malicous script that seems to affect IE and make firefox not work properly.

Somebody inserted this into one of my sites over the weekend as well – the only way I could get rid of it was to replace every PHP file on the site with backup versions. It took a while but as far as I can tell (be warned no expert) it did nothing to my database.

Hugh

Hugh and James,

Thanks very much for your responses, I have tried your suggestions – (thanks so much) unfortunately – no dice.

I have tried deactivating then deleting all the plugins – no joy

I have deactivated and and then deleted all the theme other than 2010 – again no joy.

I have replaced every file in the wordpress folder (other than wp-content) with a fresh and shiny new copy from the wordpress servers…and I’m still stuck.

So I guess this points to something in the WP-CONTENT folder, I’ve picked my way through all the php files in WP-CONTENT looking for something that looks like :

<script src=”https://onlineisdudescars.com/co.php”></script&gt;

But can’t find anything – is there anywhere else I can look ?
Is my database all up the spout perhaps?
Forgive my simple brains – i really need a helping hand here

right hang on. I’ve managed to clean out everything that looked nast and malicious and the RSS Validator is still giving me nasty looks.

However, the issue with site redirection to

“https://onlineisdudescars.com/co.php&#8221;

is fixed and I seem to be feeding RSS out as I’m getting feeds from my website on google reader. Hmmm….

Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

I had a look at you site a moment ago, and it looks as though the site redirection is still there.

I had to reinstall every PHP file on my site, wordpress and themes and it took me a while after I’d done that to work out that I needed to update wp-config.

The actual script redirect isn’t in plain code, but at the top of every PHP script I’d had a base64= (a numeric string) – sorry I didn’t keep to show you though. let me know if you need any help – be warned I’m no expert though, just going of my stumbling exzperience

Hugh

https://www.rvoodoo.com/2010/02/the-dreaded-base64-wordpress-hack-and-other-hacks-too

is my experience stumbling through similar problems. You can’t just remove the base64 stuff. That will get rid of the problem temporarily, but all that stuff got there somehow. You have a backdoor somewhere you need to find

one think that did strike me as odd was just before the attack someone searhed on yandex for “ракета кндр” which translates as DPRK Missile. No idea why I’d ever figure in that search. May be a coincedence or may mot

Hugh !

Thanks so much for your help – it seems to have fixed the problem! I replaced all the PHP files APART from the config.php so as to preserve the DB credentials etc.

The only one I didn’t check was where the problem was. Doh. Thanks so much, i was very close to flattening the site and starting again. RSS feeds are fine, no more redirections and I have since updated to the latest wordpress so hopefully this will close the backdoor issue.

Thanks to Hugh,James, Rev Voodoo for your help….!!!
Really appreciate your help.
Thankyou again
JACK

nice job,

but………..from evrything I’ve read its likely the hackers will of left a back door to do ti again. I’m going to go over by blog in an effort to find with a fine tooth comb tonight. It’d be a good effort on your part to do so to

https://ottopress.com/2009/hacked-wordpress-backdoors/

This script fixes this:

https://blog.sucuri.net/2010/05/simple-cleanup-solution-for-the-latest-wordpress-hack.html