• I run a number of WordPress blogs for myself and my website clients

    Today I noticed that two of the sites are showing SPAM text instead of the post excerpt in the RSS feed in my Google Reader.

    Has anyone else had this issue? I’m just trying to figure out where to start in troubleshooting it.

Viewing 11 replies - 1 through 11 (of 11 total)
  • Check the sites. They may have been hacked.

    Thread Starter maidanet

    (@maidanet)

    Does someone know which files of the WordPress package write the RSS feeds?

    An interesting find – someone emailed my client and said that the RSS feed for a previous post showed up as SPAM for him, but that post is fine in the RSS feed for me.

    Only today’s post looks like SPAM to me.

    Something similar has happened to me. Since I upgraded to 2.8, posts for my main RSS feed have been showing up as spam in Google Reader. However, the feed works fine in Bloglines, and not everyone is seeing it as spam.

    As far as I know the site is not hacked. I am checking the files now. Can anyone help?

    Okay, I think I have this fixed. I went and grabbed this plugin:

    https://www.ads-software.com/extend/plugins/wp-security-scan/

    and ran the scan. I discovered that some of my directories, including my /js directory, were dangerously writable. I used my FTP client to change these directories to the correct file permissions.

    That seems to have fixed the error, the spam is no longer showing up.

    I am having this same issue. I upgraded to 2.8 and it’s still a problem. The feed shows up fine in Bloglines, but as “buy vioxx…” in Google Reader. I restored my database back to a few days ago, and that didn’t take care of it.

    Any ideas? I have no idea where to look. Thanks!

    Thanks, Whooami. I suspected that might be the case, but was still digging around when I posted. Your link is very helpful. Working on it now.

    I just encountered something quite similar to this. (It’s actually a little different than what’s linked above.)

    After a bit of tracking, I discovered a few hidden files (i.e. files preceded by the period like .README.back.php) in my plugins folder–Akismet, StatPress, and WP-Amazon to name just a few–and these files used varying names.

    Once I opened up the files (after downloading them and deleting them immediately from the server), I discovered that it was executable PHP code obfuscated by a ton of PHP comments. When the comments were stripped out, it revealed it was looking for something in the DB–the wp_options table to be specific.

    Tracking down the options table code (‘rss_f541b…’) showed that there was encrypted (and reversed) PHP code hiding in the middle of the plugins data. There was a preg_match which told me where to look and after decrypting the data, it’s one nasty little chunk of script.

    I saved a copy before deleting it from my DB and changing my DB info.

    So, if someone is having a similar problem, I’d recommend deleting the plugin files you come across which are hidden and you *know* are not part of the original plugin package, then deleting the code from the encrypted code from the options table–it shouldn’t be difficult to miss because it looks like a chunk of gibberish that starts with something like ‘;))”==QfK0wOpc…’ and ends with something like ‘…JXZ”(edoced_46esab(lave’.

    I found the same problem and the files was

    .random.old.php
    .rss.old.php

    I also clean the entry in the DB

    Thread Starter maidanet

    (@maidanet)

    Here is a definitive guide on the problem and how to fix it –

    https://groups.google.com/group/google-reader-troubleshoot/browse_thread/thread/39a7eef288c65dd0/3d177143fb8f5be1?lnk=gst&q=spam#3d177143fb8f5be1

    I found the offending entry in my client’s db, and am keeping my fingers crossed that the next post will have a clean RSS description.

    Now I need to check my own blog. Sigh. Why can’t hackers find something useful to do?

    Hi,

    I just had this virus on two of my WP sites too. One was 2.7, one older.

    I think of it as a stealth virus since it does not change any behavior visible from your blog’s site nor from its control panel. But it does add a login that it can later use, plus active software on the site. And it will survive standard WP upgrades and re-installs (since it lives in the db and in plugin directories).

    Conclusion: Must keep WP up to date!

    To see where the virus was added, look in the database, in the wp-options table. (May have a different prefix depending on your settings.)

    In the options table, look for the record where option_name = active_plugins. It will have the names of the files added by the virus.

    Also look in the users table and delete any suspicious users, including those named “wordpress.”

    Also look in your blog’s directories on the server for any files such as remv.php

    Remember that you also need to change:
    1) Your database password that wp uses. (And change it in wp-config.php)
    2) Your admin password
    3) Your linux login password
    4) Your “secret phrases” set in wp-config. See the site https://api.www.ads-software.com/secret-key/1.1/
    and copy the result into your wp-config.php file.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘RSS feed shows SPAM text instead of post excerpt’ is closed to new replies.