One of my readers alerted me that my latest blog post appears in
googlereader as spam, but when you click to go to my website, the post
is just fine on the website.
Here is what the text appears as in googlereader:
Buying Synthroid Proventil Price Natural Motilium Starlix Pill Order
Myambutol Purchase Rituxan Accutane Pill Natural Indocin Zyprexa Pill
Buy Zyrtec Online Order Noroxin Purchase Ventolin Pamelor For Sale
Natural Cytoxan Mentax For Sale Natural Emsam Requip Without
Prescription Generic Paxil Buy Vytorin Online Purchase Penisole
Purchase Ophthacare Natural Wellbutrin Sr Fludarabine Without
Prescription Azulfidine Without Prescription Protonix Pill Purchase
Gyne-lotrimin Topamax Without Prescription Purchase Motilium Evecare
For Sale Buy Yerba Diet Online Viramune Price Order Azulfidine Generic
Vermox Zerit Without Prescription Generic Flonase Natural Epivir-hbv
Diet Maxx Price Purchase Mevacor Buying Cialis Soft Generic [...]
Also, in the last ten or so posts, the body text has dissapeared, and
just the title appears, but when you click to go to my website,
everything is fine.
I faced the same problem today. I see that this problem only appears
for old users. If you subscribe to this feed today, the new feed will
appear fine.
I don't know how to fix the problem, one work around would be for old
users to unsubcribe and then subscribe to the feed again.
> One of my readers alerted me that my latest blog post appears in
> googlereader as spam, but when you click to go to my website, the post
> is just fine on the website.
> Here is what the text appears as in googlereader:
> Buying Synthroid Proventil Price Natural Motilium Starlix Pill Order
> Myambutol Purchase Rituxan Accutane Pill Natural Indocin Zyprexa Pill
> Buy Zyrtec Online Order Noroxin Purchase Ventolin Pamelor For Sale
> Natural Cytoxan Mentax For Sale Natural Emsam Requip Without
> Prescription Generic Paxil Buy Vytorin Online Purchase Penisole
> Purchase Ophthacare Natural Wellbutrin Sr Fludarabine Without
> Prescription Azulfidine Without Prescription Protonix Pill Purchase
> Gyne-lotrimin Topamax Without Prescription Purchase Motilium Evecare
> For Sale Buy Yerba Diet Online Viramune Price Order Azulfidine Generic
> Vermox Zerit Without Prescription Generic Flonase Natural Epivir-hbv
> Diet Maxx Price Purchase Mevacor Buying Cialis Soft Generic [...]
> Also, in the last ten or so posts, the body text has dissapeared, and
> just the title appears, but when you click to go to my website,
> everything is fine.
> I faced the same problem today. I see that this problem only appears
> for old users. If you subscribe to this feed today, the new feed will
> appear fine.
> I don't know how to fix the problem, one work around would be for old
> users to unsubcribe and then subscribe to the feed again.
> On Jun 17, 11:08 pm, "[email address]" wrote:
> > One of my readers alerted me that my latest blog post appears in
> > googlereader as spam, but when you click to go to my website, the post
> > is just fine on the website.
> > Here is what the text appears as in googlereader:
> > Buying Synthroid Proventil Price Natural Motilium Starlix Pill Order
> > Myambutol Purchase Rituxan Accutane Pill Natural Indocin Zyprexa Pill
> > Buy Zyrtec Online Order Noroxin Purchase Ventolin Pamelor For Sale
> > Natural Cytoxan Mentax For Sale Natural Emsam Requip Without
> > Prescription Generic Paxil Buy Vytorin Online Purchase Penisole
> > Purchase Ophthacare Natural Wellbutrin Sr Fludarabine Without
> > Prescription Azulfidine Without Prescription Protonix Pill Purchase
> > Gyne-lotrimin Topamax Without Prescription Purchase Motilium Evecare
> > For Sale Buy Yerba Diet Online Viramune Price Order Azulfidine Generic
> > Vermox Zerit Without Prescription Generic Flonase Natural Epivir-hbv
> > Diet Maxx Price Purchase Mevacor Buying Cialis Soft Generic [...]
> > Also, in the last ten or so posts, the body text has dissapeared, and
> > just the title appears, but when you click to go to my website,
> > everything is fine.
I am facing exactly the same problem as jennifer, including the loss
of body text -- which goes back to April '09. I am getting the
following spam on my new posts:
Three Sisters Pharmacy Valium Rehab List Painkillers Benzodiazepines
Buy Viagra Alternative Phentermine Lortab Online Can I Get A Buzz From
Ultram Does The Faa Test For Xanax Order Hydrocodone Online Getting
High On Valium Search Phentermine Adipex Cheap Diflucan Buy No
Phentermine Script Purchase Soma Xanax Deaths Viagra Clones Cheap
Fastin Ultram Withdrawls Order Cheap Viagra Buy Diazepam Inexpensive
Tenuate Online Pharmacies Discount Lexapro Valium Abuse And Effects
Buy Bontril Online Pharmacy Tenuate Buy Dospan Line Tenuate Medical
Uses Of Valium Buy [...]
I was notified of the problem yesterday by a reader.
> One of my readers alerted me that my latest blog post appears in
> googlereader as spam, but when you click to go to my website, the post
> is just fine on the website.
> Here is what the text appears as in googlereader:
> Buying Synthroid Proventil Price Natural Motilium Starlix Pill Order
> Myambutol Purchase Rituxan Accutane Pill Natural Indocin Zyprexa Pill
> Buy Zyrtec Online Order Noroxin Purchase Ventolin Pamelor For Sale
> Natural Cytoxan Mentax For Sale Natural Emsam Requip Without
> Prescription Generic Paxil Buy Vytorin Online Purchase Penisole
> Purchase Ophthacare Natural Wellbutrin Sr Fludarabine Without
> Prescription Azulfidine Without Prescription Protonix Pill Purchase
> Gyne-lotrimin Topamax Without Prescription Purchase Motilium Evecare
> For Sale Buy Yerba Diet Online Viramune Price Order Azulfidine Generic
> Vermox Zerit Without Prescription Generic Flonase Natural Epivir-hbv
> Diet Maxx Price Purchase Mevacor Buying Cialis Soft Generic [...]
> Also, in the last ten or so posts, the body text has dissapeared, and
> just the title appears, but when you click to go to my website,
> everything is fine.
When looking at the Google Cache for your latest post "My Apologies
for Spam in Google Reader (Click this Title)", there is a <div
id="_wp_footer"> that contains the same spam that appears in Google
Reader. The spam isn't there when visiting your website directly.
Have you made any recent changes to your blog? If not, maybe this is a
clever PHP script injection that adds spam only to requests from
Google?
> I am facing exactly the same problem as jennifer, including the loss
> of body text -- which goes back to April '09. I am getting the
> following spam on my new posts:
> Three Sisters Pharmacy Valium Rehab List Painkillers Benzodiazepines
> Buy Viagra Alternative Phentermine Lortab Online Can I Get A Buzz From
> Ultram Does The Faa Test For Xanax Order Hydrocodone Online Getting
> High On Valium Search Phentermine Adipex Cheap Diflucan Buy No
> Phentermine Script Purchase Soma Xanax Deaths Viagra Clones Cheap
> Fastin Ultram Withdrawls Order Cheap Viagra Buy Diazepam Inexpensive
> Tenuate Online Pharmacies Discount Lexapro Valium Abuse And Effects
> Buy Bontril Online Pharmacy Tenuate Buy Dospan Line Tenuate Medical
> Uses Of Valium Buy [...]
> I was notified of the problem yesterday by a reader.
> Obviously, there's something amiss. The spam is not showing up in
> Bloglines.
> On Jun 17, 8:08 pm, "[email address]" wrote:
> > One of my readers alerted me that my latest blog post appears in
> > googlereader as spam, but when you click to go to my website, the post
> > is just fine on the website.
> > Here is what the text appears as in googlereader:
> > Buying Synthroid Proventil Price Natural Motilium Starlix Pill Order
> > Myambutol Purchase Rituxan Accutane Pill Natural Indocin Zyprexa Pill
> > Buy Zyrtec Online Order Noroxin Purchase Ventolin Pamelor For Sale
> > Natural Cytoxan Mentax For Sale Natural Emsam Requip Without
> > Prescription Generic Paxil Buy Vytorin Online Purchase Penisole
> > Purchase Ophthacare Natural Wellbutrin Sr Fludarabine Without
> > Prescription Azulfidine Without Prescription Protonix Pill Purchase
> > Gyne-lotrimin Topamax Without Prescription Purchase Motilium Evecare
> > For Sale Buy Yerba Diet Online Viramune Price Order Azulfidine Generic
> > Vermox Zerit Without Prescription Generic Flonase Natural Epivir-hbv
> > Diet Maxx Price Purchase Mevacor Buying Cialis Soft Generic [...]
> > Also, in the last ten or so posts, the body text has dissapeared, and
> > just the title appears, but when you click to go to my website,
> > everything is fine.
> When looking at the Google Cache for your latest post "My Apologies
> for Spam in Google Reader (Click this Title)", there is a <div
> id="_wp_footer"> that contains the same spam that appears in Google
> Reader. The spam isn't there when visiting your website directly.
> Have you made any recent changes to your blog? If not, maybe this is a
> clever PHP script injection that adds spam only to requests from
> Google?
> - Nick
> On Jun 19, 10:05 pm, DanOestreich wrote:
> > I am facing exactly the same problem as jennifer, including the loss
> > of body text -- which goes back to April '09. I am getting the
> > following spam on my new posts:
> > Three Sisters Pharmacy Valium Rehab List Painkillers Benzodiazepines
> > Buy Viagra Alternative Phentermine Lortab Online Can I Get A Buzz From
> > Ultram Does The Faa Test For Xanax Order Hydrocodone Online Getting
> > High On Valium Search Phentermine Adipex Cheap Diflucan Buy No
> > Phentermine Script Purchase Soma Xanax Deaths Viagra Clones Cheap
> > Fastin Ultram Withdrawls Order Cheap Viagra Buy Diazepam Inexpensive
> > Tenuate Online Pharmacies Discount Lexapro Valium Abuse And Effects
> > Buy Bontril Online Pharmacy Tenuate Buy Dospan Line Tenuate Medical
> > Uses Of Valium Buy [...]
> > I was notified of the problem yesterday by a reader.
> > Obviously, there's something amiss. The spam is not showing up in
> > Bloglines.
> > On Jun 17, 8:08 pm, "[email address]" wrote:
> > > One of my readers alerted me that my latest blog post appears in
> > > googlereader as spam, but when you click to go to my website, the post
> > > is just fine on the website.
> > > Here is what the text appears as in googlereader:
> > > Buying Synthroid Proventil Price Natural Motilium Starlix Pill Order
> > > Myambutol Purchase Rituxan Accutane Pill Natural Indocin Zyprexa Pill
> > > Buy Zyrtec Online Order Noroxin Purchase Ventolin Pamelor For Sale
> > > Natural Cytoxan Mentax For Sale Natural Emsam Requip Without
> > > Prescription Generic Paxil Buy Vytorin Online Purchase Penisole
> > > Purchase Ophthacare Natural Wellbutrin Sr Fludarabine Without
> > > Prescription Azulfidine Without Prescription Protonix Pill Purchase
> > > Gyne-lotrimin Topamax Without Prescription Purchase Motilium Evecare
> > > For Sale Buy Yerba Diet Online Viramune Price Order Azulfidine Generic
> > > Vermox Zerit Without Prescription Generic Flonase Natural Epivir-hbv
> > > Diet Maxx Price Purchase Mevacor Buying Cialis Soft Generic [...]
> > > Also, in the last ten or so posts, the body text has dissapeared, and
> > > just the title appears, but when you click to go to my website,
> > > everything is fine.
I had a similar problem and traced it to a hacked database entry
called "active_plugins" in the "wp_options" table. Look for any
additional "plugins" aside from the ones that you have enabled in your
general Wordpress admin area. I found a reference to an additional
file in an images subdirectory. It contained PHP code was getting
called and injecting a whole bunch of links into anything read by
Google.
> The only change I've made to my blog is upgrading from Wordpress 2.7.1
> to 2.8. Do you think that could be involved? Otherwise, no changes.
> On Jun 19, 8:30 am, Nick120 wrote:
> > When looking at the Google Cache for your latest post "My Apologies
> > for Spam in Google Reader (Click this Title)", there is a <div
> > id="_wp_footer"> that contains the same spam that appears in Google
> > Reader. The spam isn't there when visiting your website directly.
> > Have you made any recent changes to your blog? If not, maybe this is a
> > clever PHP script injection that adds spam only to requests from
> > Google?
> > - Nick
> > On Jun 19, 10:05 pm, DanOestreich wrote:
> > > I am facing exactly the same problem as jennifer, including the loss
> > > of body text -- which goes back to April '09. I am getting the
> > > following spam on my new posts:
> > > Three Sisters Pharmacy Valium Rehab List Painkillers Benzodiazepines
> > > Buy Viagra Alternative Phentermine Lortab Online Can I Get A Buzz From
> > > Ultram Does The Faa Test For Xanax Order Hydrocodone Online Getting
> > > High On Valium Search Phentermine Adipex Cheap Diflucan Buy No
> > > Phentermine Script Purchase Soma Xanax Deaths Viagra Clones Cheap
> > > Fastin Ultram Withdrawls Order Cheap Viagra Buy Diazepam Inexpensive
> > > Tenuate Online Pharmacies Discount Lexapro Valium Abuse And Effects
> > > Buy Bontril Online Pharmacy Tenuate Buy Dospan Line Tenuate Medical
> > > Uses Of Valium Buy [...]
> > > I was notified of the problem yesterday by a reader.
> > > Obviously, there's something amiss. The spam is not showing up in
> > > Bloglines.
> > > On Jun 17, 8:08 pm, "[email address]" wrote:
> > > > One of my readers alerted me that my latest blog post appears in
> > > > googlereader as spam, but when you click to go to my website, the post
> > > > is just fine on the website.
> > > > Here is what the text appears as in googlereader:
> > > > Buying Synthroid Proventil Price Natural Motilium Starlix Pill Order
> > > > Myambutol Purchase Rituxan Accutane Pill Natural Indocin Zyprexa Pill
> > > > Buy Zyrtec Online Order Noroxin Purchase Ventolin Pamelor For Sale
> > > > Natural Cytoxan Mentax For Sale Natural Emsam Requip Without
> > > > Prescription Generic Paxil Buy Vytorin Online Purchase Penisole
> > > > Purchase Ophthacare Natural Wellbutrin Sr Fludarabine Without
> > > > Prescription Azulfidine Without Prescription Protonix Pill Purchase
> > > > Gyne-lotrimin Topamax Without Prescription Purchase Motilium Evecare
> > > > For Sale Buy Yerba Diet Online Viramune Price Order Azulfidine Generic
> > > > Vermox Zerit Without Prescription Generic Flonase Natural Epivir-hbv
> > > > Diet Maxx Price Purchase Mevacor Buying Cialis Soft Generic [...]
> > > > Also, in the last ten or so posts, the body text has dissapeared, and
> > > > just the title appears, but when you click to go to my website,
> > > > everything is fine.
> I had a similar problem and traced it to a hacked database entry
> called "active_plugins" in the "wp_options" table. Look for any
> additional "plugins" aside from the ones that you have enabled in your
> general Wordpress admin area. I found a reference to an additional
> file in an images subdirectory. It contained PHP code was getting
> called and injecting a whole bunch of links into anything read by
> Google.
> Hope this helps; Good Luck!
> - Nick
> On Jun 19, 11:42 pm, DanOestreich wrote:
> > Hmm. Thanks, Nick.
> > The only change I've made to my blog is upgrading from Wordpress 2.7.1
> > to 2.8. Do you think that could be involved? Otherwise, no changes.
> > On Jun 19, 8:30 am, Nick120 wrote:
> > > When looking at the Google Cache for your latest post "My Apologies
> > > for Spam in Google Reader (Click this Title)", there is a <div
> > > id="_wp_footer"> that contains the same spam that appears in Google
> > > Reader. The spam isn't there when visiting your website directly.
> > > Have you made any recent changes to your blog? If not, maybe this is a
> > > clever PHP script injection that adds spam only to requests from
> > > Google?
> > > - Nick
> > > On Jun 19, 10:05 pm, DanOestreich wrote:
> > > > I am facing exactly the same problem as jennifer, including the loss
> > > > of body text -- which goes back to April '09. I am getting the
> > > > following spam on my new posts:
> > > > Three Sisters Pharmacy Valium Rehab List Painkillers Benzodiazepines
> > > > Buy Viagra Alternative Phentermine Lortab Online Can I Get A Buzz From
> > > > Ultram Does The Faa Test For Xanax Order Hydrocodone Online Getting
> > > > High On Valium Search Phentermine Adipex Cheap Diflucan Buy No
> > > > Phentermine Script Purchase Soma Xanax Deaths Viagra Clones Cheap
> > > > Fastin Ultram Withdrawls Order Cheap Viagra Buy Diazepam Inexpensive
> > > > Tenuate Online Pharmacies Discount Lexapro Valium Abuse And Effects
> > > > Buy Bontril Online Pharmacy Tenuate Buy Dospan Line Tenuate Medical
> > > > Uses Of Valium Buy [...]
> > > > I was notified of the problem yesterday by a reader.
> > > > Obviously, there's something amiss. The spam is not showing up in
> > > > Bloglines.
> > > > On Jun 17, 8:08 pm, "[email address]" wrote:
> > > > > One of my readers alerted me that my latest blog post appears in
> > > > > googlereader as spam, but when you click to go to my website, the post
> > > > > is just fine on the website.
> > > > > Here is what the text appears as in googlereader:
> > > > > Buying Synthroid Proventil Price Natural Motilium Starlix Pill Order
> > > > > Myambutol Purchase Rituxan Accutane Pill Natural Indocin Zyprexa Pill
> > > > > Buy Zyrtec Online Order Noroxin Purchase Ventolin Pamelor For Sale
> > > > > Natural Cytoxan Mentax For Sale Natural Emsam Requip Without
> > > > > Prescription Generic Paxil Buy Vytorin Online Purchase Penisole
> > > > > Purchase Ophthacare Natural Wellbutrin Sr Fludarabine Without
> > > > > Prescription Azulfidine Without Prescription Protonix Pill Purchase
> > > > > Gyne-lotrimin Topamax Without Prescription Purchase Motilium Evecare
> > > > > For Sale Buy Yerba Diet Online Viramune Price Order Azulfidine Generic
> > > > > Vermox Zerit Without Prescription Generic Flonase Natural Epivir-hbv
> > > > > Diet Maxx Price Purchase Mevacor Buying Cialis Soft Generic [...]
> > > > > Also, in the last ten or so posts, the body text has dissapeared, and
> > > > > just the title appears, but when you click to go to my website,
> > > > > everything is fine.
> > I had a similar problem and traced it to a hacked database entry
> > called "active_plugins" in the "wp_options" table. Look for any
> > additional "plugins" aside from the ones that you have enabled in your
> > general Wordpress admin area. I found a reference to an additional
> > file in an images subdirectory. It contained PHP code was getting
> > called and injecting a whole bunch of links into anything read by
> > Google.
> > Hope this helps; Good Luck!
> > - Nick
> > On Jun 19, 11:42 pm, DanOestreich wrote:
> > > Hmm. Thanks, Nick.
> > > The only change I've made to my blog is upgrading from Wordpress 2.7.1
> > > to 2.8. Do you think that could be involved? Otherwise, no changes.
> > > On Jun 19, 8:30 am, Nick120 wrote:
> > > > When looking at the Google Cache for your latest post "My Apologies
> > > > for Spam in Google Reader (Click this Title)", there is a <div
> > > > id="_wp_footer"> that contains the same spam that appears in Google
> > > > Reader. The spam isn't there when visiting your website directly.
> > > > Have you made any recent changes to your blog? If not, maybe this is a
> > > > clever PHP script injection that adds spam only to requests from
> > > > Google?
> > > > - Nick
> > > > On Jun 19, 10:05 pm, DanOestreich wrote:
> > > > > I am facing exactly the same problem as jennifer, including the loss
> > > > > of body text -- which goes back to April '09. I am getting the
> > > > > following spam on my new posts:
> > > > > Three Sisters Pharmacy Valium Rehab List Painkillers Benzodiazepines
> > > > > Buy Viagra Alternative Phentermine Lortab Online Can I Get A Buzz From
> > > > > Ultram Does The Faa Test For Xanax Order Hydrocodone Online Getting
> > > > > High On Valium Search Phentermine Adipex Cheap Diflucan Buy No
> > > > > Phentermine Script Purchase Soma Xanax Deaths Viagra Clones Cheap
> > > > > Fastin Ultram Withdrawls Order Cheap Viagra Buy Diazepam Inexpensive
> > > > > Tenuate Online Pharmacies Discount Lexapro Valium Abuse And Effects
> > > > > Buy Bontril Online Pharmacy Tenuate Buy Dospan Line Tenuate Medical
> > > > > Uses Of Valium Buy [...]
> > > > > I was notified of the problem yesterday by a reader.
> > > > > Obviously, there's something amiss. The spam is not showing up in
> > > > > Bloglines.
> > > > > On Jun 17, 8:08 pm, "[email address]" wrote:
> > > > > > One of my readers alerted me that my latest blog post appears in
> > > > > > googlereader as spam, but when you click to go to my website, the post
> > > > > > is just fine on the website.
> > > > > > Here is what the text appears as in googlereader:
> > > > > > Buying Synthroid Proventil Price Natural Motilium Starlix Pill Order
> > > > > > Myambutol Purchase Rituxan Accutane Pill Natural Indocin Zyprexa Pill
> > > > > > Buy Zyrtec Online Order Noroxin Purchase Ventolin Pamelor For Sale
> > > > > > Natural Cytoxan Mentax For Sale Natural Emsam Requip Without
> > > > > > Prescription Generic Paxil Buy Vytorin Online Purchase Penisole
> > > > > > Purchase Ophthacare Natural Wellbutrin Sr Fludarabine Without
> > > > > > Prescription Azulfidine Without Prescription Protonix Pill Purchase
> > > > > > Gyne-lotrimin Topamax Without Prescription Purchase Motilium Evecare
> > > > > > For Sale Buy Yerba Diet Online Viramune Price Order Azulfidine Generic
> > > > > > Vermox Zerit Without Prescription Generic Flonase Natural Epivir-hbv
> > > > > > Diet Maxx Price Purchase Mevacor Buying Cialis Soft Generic [...]
> > > > > > Also, in the last ten or so posts, the body text has dissapeared, and
> > > > > > just the title appears, but when you click to go to my website,
> > > > > > everything is fine.
Hrm. I renamed my wp-content/plugins dir to plugins.old and once it
was recreated by refreshing the plugins admin page in the Dashboard,
the spam was no longer there after a Google Reader refresh.
Annoyingly, though, I've moved all the plugins back, one by one, and
can't get it to happen again.
> > > I had a similar problem and traced it to a hacked database entry
> > > called "active_plugins" in the "wp_options" table. Look for any
> > > additional "plugins" aside from the ones that you have enabled in your
> > > general Wordpress admin area. I found a reference to an additional
> > > file in an images subdirectory. It contained PHP code was getting
> > > called and injecting a whole bunch of links into anything read by
> > > Google.
> > > Hope this helps; Good Luck!
> > > - Nick
> > > On Jun 19, 11:42 pm, DanOestreich wrote:
> > > > Hmm. Thanks, Nick.
> > > > The only change I've made to my blog is upgrading from Wordpress 2.7.1
> > > > to 2.8. Do you think that could be involved? Otherwise, no changes.
> > > > On Jun 19, 8:30 am, Nick120 wrote:
> > > > > When looking at the Google Cache for your latest post "My Apologies
> > > > > for Spam in Google Reader (Click this Title)", there is a <div
> > > > > id="_wp_footer"> that contains the same spam that appears in Google
> > > > > Reader. The spam isn't there when visiting your website directly.
> > > > > Have you made any recent changes to your blog? If not, maybe this is a
> > > > > clever PHP script injection that adds spam only to requests from
> > > > > Google?
> > > > > - Nick
> > > > > On Jun 19, 10:05 pm, DanOestreich wrote:
> > > > > > I am facing exactly the same problem as jennifer, including the loss
> > > > > > of body text -- which goes back to April '09. I am getting the
> > > > > > following spam on my new posts:
> > > > > > Three Sisters Pharmacy Valium Rehab List Painkillers Benzodiazepines
> > > > > > Buy Viagra Alternative Phentermine Lortab Online Can I Get A Buzz From
> > > > > > Ultram Does The Faa Test For Xanax Order Hydrocodone Online Getting
> > > > > > High On Valium Search Phentermine Adipex Cheap Diflucan Buy No
> > > > > > Phentermine Script Purchase Soma Xanax Deaths Viagra Clones Cheap
> > > > > > Fastin Ultram Withdrawls Order Cheap Viagra Buy Diazepam Inexpensive
> > > > > > Tenuate Online Pharmacies Discount Lexapro Valium Abuse And Effects
> > > > > > Buy Bontril Online Pharmacy Tenuate Buy Dospan Line Tenuate Medical
> > > > > > Uses Of Valium Buy [...]
> > > > > > I was notified of the problem yesterday by a reader.
> > > > > > Obviously, there's something amiss. The spam is not showing up in
> > > > > > Bloglines.
> > > > > > On Jun 17, 8:08 pm, "[email address]" wrote:
> > > > > > > One of my readers alerted me that my latest blog post appears in
> > > > > > > googlereader as spam, but when you click to go to my website, the post
> > > > > > > is just fine on the website.
> > > > > > > Here is what the text appears as in googlereader:
> > > > > > > Buying Synthroid Proventil Price Natural Motilium Starlix Pill Order
> > > > > > > Myambutol Purchase Rituxan Accutane Pill Natural Indocin Zyprexa Pill
> > > > > > > Buy Zyrtec Online Order Noroxin Purchase Ventolin Pamelor For Sale
> > > > > > > Natural Cytoxan Mentax For Sale Natural Emsam Requip Without
> > > > > > > Prescription Generic Paxil Buy Vytorin Online Purchase Penisole
> > > > > > > Purchase Ophthacare Natural Wellbutrin Sr Fludarabine Without
> > > > > > > Prescription Azulfidine Without Prescription Protonix Pill Purchase
> > > > > > > Gyne-lotrimin Topamax Without Prescription Purchase Motilium Evecare
> > > > > > > For Sale Buy Yerba Diet Online Viramune Price Order Azulfidine Generic
> > > > > > > Vermox Zerit Without Prescription Generic Flonase Natural Epivir-hbv
> > > > > > > Diet Maxx Price Purchase Mevacor Buying Cialis Soft Generic [...]
> > > > > > > Also, in the last ten or so posts, the body text has dissapeared, and
> > > > > > > just the title appears, but when you click to go to my website,
> > > > > > > everything is fine.
Nick - I have not changed anything about my blog recently. Thanks for
the curl tip - I will check that out.
Please continue to post here, everyone, if you figure anything else
out. I am a bit relieved that it is not just me having this issue -
hopefully we can get it resloved faster that way.
Same problem here. I also recently upgraded to 2.8, using the auto-
update (which I've now read can be problematic). My feed only looks
spammy in Google Reader.
I've been looking through my directories but haven't seen anything
suspicious, and nothing new with the plugins: although I did briefly
have an error on my plugins page claiming it was missing a cache file,
that has gone away today.
> Nick - I have not changed anything about my blog recently. Thanks for
> the curl tip - I will check that out.
> Please continue to post here, everyone, if you figure anything else
> out. I am a bit relieved that it is not just me having this issue -
> hopefully we can get it resloved faster that way.
My host support team at oxxus.net reports it has found some but not
all of the hacker's code. I've asked them for more information and
will pass it along as I learn more. Thanks everybody.
> Same problem here. I also recently upgraded to 2.8, using the auto-
> update (which I've now read can be problematic). My feed only looks
> spammy in Google Reader.
> I've been looking through my directories but haven't seen anything
> suspicious, and nothing new with the plugins: although I did briefly
> have an error on my plugins page claiming it was missing a cache file,
> that has gone away today.
> On Jun 20, 9:27 am, "[email address]" wrote:
> > Thanks for the help everyone!
> > Nick - I have not changed anything about my blog recently. Thanks for
> > the curl tip - I will check that out.
> > Please continue to post here, everyone, if you figure anything else
> > out. I am a bit relieved that it is not just me having this issue -
> > hopefully we can get it resloved faster that way.
I found two files in ironically the akismet plugin directory that look
to be the cause of the problem. .akismet.cache.php
and .akismet.cache_01072008.php. Haven't been able to figure out yet
though how they got there. Unfortunately my access logs do not go back
far enough to see what might have caused the infection.
Where are those files exactly? How could I locate them or view them?
I do not see them in my askimet plugin directory.
This is interesting because just before I posted -- and learned that
Google Reader was showing spam -- I noticed that there were six large
spam comments that Askimet had caught. I deleted them all as spam. My
recollection is that they followed exactly the same format we now see
on the spam posts -- line after line after line of websites being
listed.
> I found two files in ironically the akismet plugin directory that look
> to be the cause of the problem. .akismet.cache.php
> and .akismet.cache_01072008.php. Haven't been able to figure out yet
> though how they got there. Unfortunately my access logs do not go back
> far enough to see what might have caused the infection.
> Where are those files exactly? How could I locate them or view them?
> I do not see them in my askimet plugin directory.
> This is interesting because just before I posted -- and learned that
> Google Reader was showing spam -- I noticed that there were six large
> spam comments that Askimet had caught. I deleted them all as spam. My
> recollection is that they followed exactly the same format we now see
> on the spam posts -- line after line after line of websites being
> listed.
> On Jun 22, 12:06 pm, ChrisZ wrote:
> > I found two files in ironically the akismet plugin directory that look
> > to be the cause of the problem. .akismet.cache.php
> > and .akismet.cache_01072008.php. Haven't been able to figure out yet
> > though how they got there. Unfortunately my access logs do not go back
> > far enough to see what might have caused the infection.- Hide quoted text -
I'm in the same boat. I've been seeing spam links in my RSS feed only
on Google Reader both on Mac and PC computers. Site: http://www.jmg-galleries.com/blog/
"The attacker installed r57shell.php, which is basically a rootkit for
webservers. It showed up as wp-xmlrpc.php in my uploads directory."
I'd post the entire code, but I don't want people finding it and
modifying it for future use. If someone at Google would like to see
it I can be reached through my web site.
> I'm in the same boat. I've been seeing spam links in my RSS feed only
> on Google Reader both on Mac and PC computers. Site:http://www.jmg-galleries.com/blog/
> "The attacker installed r57shell.php, which is basically a rootkit for
> webservers. It showed up as wp-xmlrpc.php in my uploads directory."
> I'd post the entire code, but I don't want people finding it and
> modifying it for future use. If someone at Google would like to see
> it I can be reached through my web site.
> > I'm in the same boat. I've been seeing spam links in my RSS feed only
> > on Google Reader both on Mac and PC computers. Site:http://www.jmg-galleries.com/blog/
Yesterday, one of my awesome readers alerted me of the problem on my
blog. My feed was showing spammy content in Google reader, but when I
viewed the feed using my browser, it showed up fine. I checked it out
in Google Reader/Google Cache and realized *something* was amiss.
After investigating, I found the culprit (for WP users) and a solution
which may get some people up and running again.
First off, as a few have already mentioned, the first place to check
is your plugin folder. On my site, the script was hiding in the wp-
amazon plugin folder and on another it was hiding in *both* the
akismet and statpress/def/ folders. The files that are the problem are
*hidden* files, meaning they are preceded with a period --
example: .akismet.bak.php or .README.bak.php, etc. (No plugins that
I've come across require hidden files, but you may want to double
check with the plugin author before following the next step.)
1. Immediately delete those hidden plugin files. Remember, check *all*
of your plugins/plugin folders for those files.
That's only the first bit.
I decided to open up one of the files and at first, I was greeted by a
whole bunch of gibberish (ultimately commented out PHP text), but
scattered in between was actual executable PHP code. That lead me to
strip out the comments and what I found was *not good* by any
definition.
It turns out that there was a chunk of PHP code hidden in one of the
WordPress options table (specifically, the option table related to
showing you random plugins in your dashboard). To someone not
specifically looking for it, it's quite easy to miss.
So, that brings me to step two...and it's important that if you're
worried about altering a DB table, that you make a back up of the
content first or ask someone you trust to help you.
2. In the wp_options table (it might be different if you're using a
different prefix than 'wp_') and search for
option_name='rss_f541b3abd05e7962fcab37737f40fad8'; *or something
similar*.
One thing I've noticed is that it will be one of the few, if not the
only, 'rss_randomstring' option that's listed as 'yes' for autoload.
Once you've located that particular option row, copy the contents and
paste it into a blank plain text document (i.e. Notepad) and save it
as a back up. Then, search for the chunk that starts with "events or a
cale";s:7:';))"==" (it will be followed by a *huge* chunk of gibberish
letters and numbers) and delete all of it through to "edoced_46esab
(lave';s:150:"There are options under the widget options to specify
the view of the calendar in the sidebar. The widget can be a list for
upcoming".
After deleting the offending code, update the row.
That should take care of the immediate problem. However, there are
still a couple things I'd recommend doing afterward...
1. Disable user registration if it's open and immediately delete any
suspicious user accounts from your blog
2. Change your WordPress username/password from the MySQL level
3. Change your database user/password combination (update your wp-
config.php file according)
4, Make sure your wp-config.php file is up to late with the latest
security stuff (especially if you've successively upgraded from a
version of WP prior to 2.6.x) and if not, make sure you've actually
*changed* the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and 'NONCE_KEY
from their default values.
Since this is a tricky one to spot as it's not visible to the naked
eye and the spammer went so far as to add your host's IP to a block
list so it won't be immediately visible (I decrypted all the files/
code involved and it is *NASTY*), I recommend going through and check
*all* of your blogs if you have more than one.
Finally, keep a vigilant eye out for any suspicious activity on your
blog.
Thank you so much for tracking down this much of the problem. I was
able to take your information and go a step further. I posted my
findings here: http://www.theyellowbox.com/?p=252 In short, all that
gibberish-looking stuff is actually backward PHP code to evaluate some
other code, which is hidden from the non-programmer by a function
called base64_decode. I hope this helps Google, or WordPress, or one
or more of you, to figure out who's behind these attacks.
What I can't figure out is how they get the backwards code turned
around and evaluated. I will be following this thread to see if
anyone figures that part out. Thanks again "Today".
-Chris
|
