sermon feed got hacked

Just noticed that our sermon feed got hacked about a week ago. It stopped sending updates to iTunes, so I checked the feed in a validator and saw a bunch of spam links had been inserted towards the bottom.

I'm on Joomla 1.5, and running SermonSpeaker 3.4.3 with SermonCast 3.4.3. I can include a link to the feed validator results if that will help.

What's the correct protocol for cleaning up the feed? Looks like I'm running the most recent version for 1.5. Are these database items I need to flush (and if so where do they get injected) or is it something else?

Any help appreciated, thanks!

wow, they probably modified a file then. I'd scan your directories for any off the wall files and folders. When our church site got hacked about 3-4 months ago i've found 2-3 back doors and and about 3 phishing sites (i.e. bankofAmerica and so on).

Thanks for the tip, I did just go in and looked for modified files within the general time frame. I've now removed the actual spam files, but haven't found the back door yet. As in, my feed still doesn't validate because it now just has an error where it can't find the database file where the spam list used to be.

My podcast feed has the ending /rss tag, and then is followed by a couple of br tags and then the errors. I'm not sure exactly how the feed is put together so not sure where exactly it's happening. I did check the sermoncast files against a new copy and they looked fine.

if I'm not mistaken feed files are here \components\com_sermonspeaker\views\feed\tmpl\
the way i found a back door is they had a file labeled something like config or configuration when i opened that file and scanned through it there was a line that said "b@ckdoor Installed successfully". but this doesn't mean that they'll they haven't learned and changed their tactics. in my line of work h@ckers and m@lware people learn quickly.

Just an update, I think I got it (at least for now...). The main index.php file was compromised, even though the date on it didn't show that it had been modified. Swapped in a new index file, as well as a new .htaccess for good measure and looks like things are working again. Still need to do some testing, but at least it seems to be cooperating now.

To make sure all SermonSpeaker files are intact, you could just install SermonSpeaker over your existing installation.
It will do nothing with your database and settings, it just copies the files over again.