WordPress RSS feed hack
It wasn’t how I’d intended to spend my afternoon, trying to fix my WordPress installation from quite an annoying hack. This is one that only appears in the Google RSS feed, which completely threw me for quite a while. It seems to rely on sticking its advertising cack into areas that only Google uses, you have been warned!
In the past hacks have been pretty easy to spot, simply look for a new file or a recently updated file, or failing that, search for the word(s) that are appearing in your feed that you didn’t write in your blog! Unfortunately the hackers are getting sneakier by the day, I still haven’t found the files that were inserted into my installation, so had to replace everything instead (still a little worried that there might be something I’ve missed – I guess I’ll see when this post goes up!). The text search didn’t work either, apparently they’ve started base-64 encoding the names of their pharmaceuticals. You could base-64 encode the name and search, but it is too easy to do something else to hide it – reverse the letters, whatever, there are a lot more places for them to hide than I’ve got time to look.
In fact it looks like this is a hack that focussed on my WordPress database. This is a nightmare, because your posts and site look clean (indeed, ARE clean), and I couldn’t even see the problem in Feedreader, just Google’s Reader!
Anyway, my sequence was:
1) to change the FTP password.
2) to replaced sections of the WordPress installation in sequence, (I didn’t find any bogus files doing this so there’s likely to be a follow up post when I get to repeat this joyous activity sifting for the sh#t).
3) to change the database user and password (maybe should have done this as #2? – Learn from my mistakes guys!)
4) panic to the wife (Archaeogeek), who being a l33t systems admin checks out with the following helpful links:
wordpress-pharma-hack from Pearsonified and
8-steps-to-clean-a-hacked-wordpress-blog from Knowit
I found the first helpful in looking for duff database entries (here I struck gold at least, and the blog hasn’t crumbled since removing the entries). There a lots of possible places where sh#t can get into your database weave though, so I guess we’re going to have to look through more tables for it next time (or even this time)…
Being online is like looking after a creche, I’d rather not have to clean these nappies again, but expect it to happen…
