Has Feedcat.net been sold to hackers?
FeedCat.net is what is referred to as a “feed booster” – their services let you ‘boost’ your RSS feed to obtain more subscribers, more traffic, and more exposure. I use this service on one of my pet project web sites to help give the RSS feed some exposure, while giving my site visitors another way of catching up on new posts on the site. Win/win!
However, things have changed as of late, and a little digging helps explain why things have changed – for the worse!
It started in the wee hours last night, at about 1am local time – I noticed that my Google Adsense earnings were notably down, despite the same amount of traffic hitting the site. Big red flag. Opening the website in question in my web browser (Firefox 4) got me redirected almost instantly to some other, suspicious-looking web page hosted on a site using the Amazon AWS cloud service (see snapshot below). The domain/sub-domain is continue_.s3.amazonaws.com.
Huh??Dammit!! This is bad! Anyone visiting the website was being redirected to another suspicious web site, without having to click – it was completely automatic and (semi) transparent to the site visitor.
The first step in a case like this is to find the code causing the redirection: I couldn’t do it. I looked EVERYWHERE. No combination of grep, find, locate, datestamp checking, nothing was working to find the offending file(s). The second step was the database, a common attack vector. It too, was clean. Panic sets in: this site represents a significant source of revenue for me, yet today my earnings were 0.54 cents!
Now, the head scratching commences. No one has tampered with my files, no one has tampered with my database, WHAT IS CAUSING THE REDIRECTS? Since I have already determined that everything is OK under my “roof”, time to start looking elsewhere: on my site, where am I using external files from OTHER sites? File includes, java script, whatever – time to check those.
If I “comment out” (ignore) these external files, one by one, I should be able to determine the offender, right? Right. OK, let’s start with FeedCat, the aforementioned feed-boosting service: there is one bit of java script code from FeedCat that is used to display a button on my site. OK commented that out, uploaded to web server, reload page in browser – fixed?
FIXED. No redirects anymore. Problem solved. Are you kidding me? Wait wait wait, it must be a fluke. Uncommented code, saved back to server, reload page and yes, the redirect occurs. Comment out again, reload page, redirect gone. No fluke.
Here’s the seemingly harmless code that was removed:
Take a look at the code yourself.
FeedCat, a seemingly on-the-level service that over 300,000 webmasters use, was suddenly causing sites to redirect to “sketchy” websites. Simply removing their code from your webpage(s) fixes the problem.
The strange thing is, I noticed on Flippa (an auction site where entire websites are bought and sold) that FeedCat.net was SOLD only 20 short days ago. Long enough for the new owners to inject their suspect code? That is my guess
From what I can see, FeedCat.net was sold to hackers or people with questionable motives, and are now using the large FeedCat customer base to distribute the hacked ‘redirect’ code via java script. Oddly, I can’t find a single other person/webmaster having this issue: a Google search turned up pretty much nothing – which led me to this blog post, which hopefuly will help other people when and if it happens to them.
Am I the first, or am I totally off base? Anyone else out there having this issue? Is my blame mis-directed at FeedCat? Let’s help each other out below in the comments.