Intruder adds back door to WordPress blog software

ZDNet Blog:
An unknown intruder has compromised a WordPress server and added a remote control tool to downloadable versions of the widely used blogging software.

The breach happened last week and was discovered on Friday, WordPress creator Matt Mullenweg wrote on the WordPress Web site.

“Long story short: If you downloaded WordPress 2.1.1 within the past three to four days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately,” Mullenweg wrote. He did not say how the attacker breached the WordPress system.

The WordPress team learned of the compromise through an e-mail to its security e-mail address about unusual and highly exploitable code in WordPress. After an investigation, the team concluded that somebody had modified two files in the 2.1.1 release that would allow for remote execution of PHP code, Mullenweg wrote.

The vulnerability could allow an attacker access to the server running the blogging software.

The Web server hosting the infected WordPress software was taken down and will be forensically examined, Mullenweg wrote. “This is the kind of thing you pray never happens, but it did and now we’re dealing with it as best we can,” he wrote.

Not all downloads of 2.1.1 were rigged, but WordPress has released version 2.1.2 that includes minor updates and entirely verified files. The team is also taking measures to prevent a similar breach in the future, Mullenweg wrote.

Any WordPress users running version 2.1.1 should upgrade immediately to overwrite all old files. WordPress has additional tips for Web hosters and network administrators.