I’m running 4 Wordpress blogs, for me and my friends. All of them are updated to latest version of Wordpress as soon as a new one is available.
One of them, Maomium, was hacked last night. Someone created a user account on it then stole my admin identity to post content. As soon as I discovered the hack, I’ve put the blog down and changed all passwords which may have been exposed to the hacker (database, etc…).
Before the hack happened, my apache log show me that a person was looking for blogs powered by Wordpress 2.2 and open to registration:
123.76-136-217.adsl-dyn.isp.belgacom.be www.maomium.com - [07/Jun/2007:00:51:55 +0200] "GET /category/wordpress/ HTTP/1.1" 200 2960 "http://www.google.be/search?hl=fr&q=%22powered+by+wordpress+2.2%22+Register&btnG=Rechercher&meta=" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:188.8.131.52) Gecko/20070515 Firefox/184.108.40.206"
This person was my hacker. As you can see he’s a belgian guy and his broadband provider is Belgacom, to which I sent an abuse request. He register himself as Waryas with his
firstname.lastname@example.org email. I know that, thanks to the email Wordpress send me each time someone register. Then google told me that this hack was not his first.
If you want to disect his behaviour, you can download my apache log.
This event show us that the Wordpress vulnerablility regarding guest account registration is still there. So the advice given by CountZero must be applied!