Intrusion I haven’t seen covered yet

Several WP installations on my server got exploited lately. Though I don’t know how they got in, I can tell you what they seemed to do.

My site is https://www.daveexmachina.com. In the directory where my index.php resides, they created a directory called “zachery_died” which had a file called “glossary.php” and a “files” subdirectory full of small files that looked like keyword spam. I have not noticed any tampering with the WordPress code itself.

Two other WP blogs on my site got hit the same way. The subdirectories created were named differently but followed the format of “word_word” with the same type of comments (the “glossary.php” was called different things, such as “blogs.php”). In two of the cases the WP install was at 2.8.3, but I am fairly certain that the third case was at 2.8.4.

Another user on my account with a 2.8.3 site also got similarly hacked.

Non-wordpress domains on my site did not get hacked and, curiously, two much older versions of WordPress I still had lying around didn’t get hacked either.

It appears that the main goal is not to tamper with the installation itself, but to simply set up free and distributed hosting elsewhere for keywords. I have gotten a LOT of hits from apps.facebook.com since discovering this, so I’m sure something there is tied into this.

I have updated my site, changed passwords, and removed the directories. There seems to be no long-term damage (that I’ve found, at least), but I wanted other WP blog users to be aware of this, since evidence points to WordPress being the vector, and WordPress to be aware of it since I’m fairly certain one of the affected blogs was already at 2.8.4.