Unsettling. Sounds like there might be a massive scripted hack going on against out of date WordPress installs on Dreamhost. Check your site. See also discussion in the comments attached to this post.
Sign in with 
OpenID
Unsettling. Sounds like there might be a massive scripted hack going on against out of date WordPress installs on Dreamhost. Check your site. See also discussion in the comments attached to this post.
Simon-- given that Dave runs Movable Type on Mezzoblue, your claim that this is an attack against "out of date WordPress installs" makes no sense at all.
It's obvious from the comments there that no one has much idea what the real cause is, so to ascribe it not only specifically to WordPress but also to "a massive scripted hack" is, I think, a bit irresponsible.
Scott Reynen - 5th June 2007 22:41 - #
Whilst Dave is running MT, a good 9/10 of the people commenting are reporting that they had the same thing happening with a wordpress/dreamhost combination.
So - I think it's a fair and responsible comment.
Simon G. - 5th June 2007 23:47 - #
I was careful to say "sounds like there might be" precisely because it's not certain that this is a WordPress issue - but evidence I've seen in Dave's comments, elsewhere on the Web and on mailing lists suggests that this is a likely option. Dave may not be running WordPress on mezzoblue but he does use it for other sites on the same hosting account, and a vulnerability there could let an attacker modify files on his other sites.
At any rate, checking you're running an up-to-date version of WordPress (and indeed any other software on your server) is never bad advice.
So the people who experienced the same problem even though they don't use WordPress or host with Dreamhost are, what, just unfortunate victims of splash damage? (See http://mezzoblue.com/archives/2007/06/05/unsettlin g/#c036732 and http://mezzoblue.com/archives/2007/06/05/unsettlin g/#c036760 and http://mezzoblue.com/archives/2007/06/05/unsettlin g/#c036763 as examples of what I'm talking about-- and you should be.)
Note that I later posted in the comments of the article linked that I do indeed have Wordpress running on other sites within my hosting account, and ALL sites were compromised, so there's every chance that Wordpress is the common link.
That said, I have heard from some people on Dreamhost who don't run Wordpress that this has affected them. I have also heard from people on other hosts running Wordpress who have been equally affected.
It's possible there are multiple attack vectors. Dreamhost and Wordpress are the two most common threads, in any case.
Dave S. - 6th June 2007 02:16 - #
Any chance of my followup comment being allowed to display here? Sorry it got posted twice, but it appeared to fail the first time.
Sorry Eric, your comment triggered my "too many links" spam filter and ended up in the moderation queue. I'll add your OpenID to my whitelist.
I'm desperately interested in hearing what's really behind all of this now, and I'll post an update as soon as someone figures it out. It still seems to me that the most likely cause is people running an old (insecure) version of WordPress installed via Dreamhost's one-click install panel.
I certainly didn't mean this post te be critical of WordPress. Security vulnerabilities happen in every project, and the mark of quality is how well they deal with them. In this case the updated version was released quickly and announced in the right places. The WordPress team can't and shouldn't be held responsible for people running unpatched versions of their software.
In fact I think I'll post a proper blog entry about this now.
Got the e-mail earlier today myself. It doesn't seem like anything has happened to my account, though. I don't think this exploiter is able to automatically resolve to my Django's base.html. :-)
Passwords have been changed anyways.