[This was originally published on the OSVDB blog.]
This time, it happened to the OSVDB blog. Unfortunately, WordPress doesn’t have a very good track record on security. During the migration from the old OSVDB to 2.0, we noticed a problem with the blog and several ‘spam’ posts appearing. We attributed it to one of the many previous WordPress bugs. We cleaned out the tainted posts, upgraded to the latest WordPress, and went on our merry way.
Shortly after, a blog reader contacted us to point out that existing posts we made had “noscript” advertisements embedded in them. Our expansive development team (the overworked Dave) looked into it. He started looking through the files for any obvious signs of a compromise – checked the plugins, etc. All seemed normal. Next he checked the web logs and noticed Chinese addresses POSTing to xmlrpc.php at various times throughout the day, most often at night. He then enabled XMLRPClogging inside of the script, cleaned out the database again, and noticed lots of just this:
2008-01-31 04:04:00 Input:
2008-01-31 05:01:43 Input:
2008-01-31 19:29:01 Input:
Posts continued to be altered during his investigation. Suspecting user account compromise, he checked the WordPress users, noticed a good chunk of new users had been added in recent months, mostly all obvious spam users. Spam users aren’t uncommon, but usually a small percentage. In the past few months, the vast majority of users were spam users.
When OSVDB 41136 came out, it all became clear. Since fixing the vulnerability, no posts have been edited.
I know this post is late, but we wanted to clear up any confusion and set the record straight on what occurred. We can definitely say this vulnerability was discovered in the wild.