Recently while troubleshooting an old WordPress 2.1.3 blog, I found that when trying publish a new post, the next page would fail to load and only get to a blank screen. Also, while looking around in the dashboard, I noticed that the default upload directory (for uploading images etc), was set to:
/../../../../../../../../../../../../../../tmp/
from CyberInsecure.com :
Wordress blogs are mass scanned and attacked, and a new directory in wp-content folder is created in vulnerable ones. The directory is usually called /1/ and its full of html files containing Javascript redirects in them (doorways). There was also an infected blog with phishing pages for Google logins. Google cache already shows thousands of results with such hacked WordPress blogs. They can be seen best by committing a search inurl:wp-content/1/ (do not visit those results, your PC might get infected). Google has already tagged some of these spam pages as harmful.
The blogs are most likely attacked by some kind of automated tool since the amounts of spam are too big to work manually on all those spam pages creation. It seems there are also spam comments in posts as well. Spam comments are pointing to internal infected blog pages in folder “1? to get them spidered and to get people to visit them.
This issue was reported to WordPress.org, and there is an unofficial fix for this issue. The fix is based around renaming the cookies used by WordPress by default. If the exploit is hacking the cookies by mass scanning blogs, and it looks for a specific cookie name, that would stop what is out there now but it would not fix the issue.
Recommendations: Upgrade to 2.3.3 along with immediately changing any administrator passwords. Currently older WordPress versions, especially Wordress 2.1.3, attacked using “admin-ajax.php” sql injection exploit to retrieve the administrator account’s password.
Change default cookie names in your blog.
Things like this are a reason to keep your WordPress, and all other software up to date!
Reading:
