I dont wish to raise alarm uneccessarily but i believe i've just had my wpmu 2.7 development site hacked.
Symptoms:
---------
first noticed new registed user, giving their details as:
'laura' - bloggman@telerymd.org
registered as a 'subscriber' to my development site.
this is odd since it is 'no-show' to search engines (ie. harder, though not impossible for people to find the site).
then i noticed that several existing posts had had the author changed from 'admin' to 'laura' - for all revision dates.
to my knowledge, this shouldnt be possible.
possible causes:
----------------
seems most likely to be an sql injection attack either via core wp functions, or more likely one of the many plugins a have installed.
i am performing further analysis and will post any results here.
VERY interested to hear of anyone experiencing similar hacking attempts.
details of my config are:
-------------------------
base wp version: WPMU 2.7
plugins installed and active (also incorporating minor wpmu compatibility mods of my own):
BDP RSS Aggregator 0.6.3
New and Improved RSS Aggregator - collate RSS feeds and summarise to a page - updates regularly without the need for cron. By Bryan Palmer (bryan@ozpolitics.info).
Deactivate
BDP RSS Aggregator Widgets 0.0.1
Generate sidebar widgets for the RSS Aggregator By Bryan Palmer (bryan@ozpolitics.info).
Deactivate
Bluetrait Event Viewer 1.8.3
BTEV monitors events that occur in your WordPress install. By Michael Dale.
Deactivate
Category Icons 2.0.7
Assign icons to your categories easily. Thanks to the following contributors : Kristian Bollnow, Hugo Chen, Kalin Dimitrov, Dimox, Gianni Diurno, Samuel Kroslak, Jean-Christophe Marie, Andrew Senyshyn, Henrik Schack, Vincent Sparreboom, TechnopodMan, TenderFeel, Oliver Weichhold. By Brahim Machkouri.
Deactivate
CurrentlyWatching 1.0
This plugin shows the currently watching posts by other visitors. This will help the visitor to visit your inner pages as a shuffled manner. The plugin is built with ajax support to pic currently watchin posts. By Sajith.
Deactivate
Dean's FCKEditor For Wordpress 2.5.0
Replaces the default Wordpress editor with FCKeditor By Dean Lee.
Deactivate
Landing sites 1.4.1
When visitors is referred to your site from a search engine, the plugin is showing them related posts to their search on your blog. By The undersigned.
Deactivate
Max Banner Ads 1.3.6
Easily rotate banners and ads in almost anywhere in your wordpress blog without editing the theme. Adjust your settings here. By MaxBlogPress.
Deactivate
Multi Column Category List 1.3
Displays a customizable list of categories in multiple columns By Dagon Design.
Deactivate
OpenSearch 1.0
Add OpenSearch discovery and querying to your WordPress site. By Jeff Waugh.
Deactivate
Optimal Plugin (formerly, OPML Renderer) 0.4c (beta)
Renders valid OPML from any source as an expandable/collapsible list. Usage in code: OPMLRender('url','updatetime','css class','depth','flags'); Usage in pages / posts: !OPMLRender : url,updatetime,css class,depth,flags where ‘updatetime’ is the number of seconds to cache a file before requesting an update, ‘css class’ indicates the CSS class to be applied to the <div> that wraps the rendered outline, ‘depth’ indicates how many levels to initially expand the outline (excluding inclusions), and ‘flags’ is the sum of the display flags you wish to set TRUE (currently, ‘1' = ‘Print a header with links to Expand/Collapse all nodes’ and ‘2' = ‘Print a footer with a link to the source OPML file’). By Dan MacTough.
Deactivate
Pageear 1.0
Free flash pagepeel version build on pageear version 1.2a, please read license agreement / Lizenzvereinbarung By Christian Harz.
Deactivate
printme 1.0.1()
Printme is an easy to use and simple plugin. Enables to show their posts in a printer styled version. By Jorge Alves.
Deactivate
Role Manager 2.2.3
Role Management for WordPress 2.0.x, up to 2.6.x.. By Thomas Schneider.
Deactivate
Role Scoper 1.0.0-rc9.9216
CMS-like permissions for reading and editing. Content-specific restrictions and roles supplement/override WordPress roles. User groups optional. By Kevin Behrens.
Deactivate
scl_rss_scroller 0.1
(SystemCore RSS Scroller Plugin) By rcain.
Deactivate
Search Meter 2.5
Keeps track of what your visitors are searching for. After you have activated this plugin, you can check the Search Meter section in the Dashboard to see what your visitors are searching for on your blog. By Bennett McElwee.
Deactivate
SimplePie Core 1.1.1
Does little else but load the core SimplePie API library for any extension that wants to utilize it. Go to Options?SimplePie Core for more details. By Ryan Parman and Geoffrey Sneddon.
Deactivate
SimplePie Plugin for WordPress 2.2.1
A fast and easy way to add RSS and Atom feeds to your WordPress blog. Go to Settings?SimplePie for WP to adjust default settings. By Ryan Parman.
Deactivate
Smart 404 0.3
Rescue your viewers from site errors! When content cannot be found, Smart 404 will use the current URL to attempt to find matching content, and redirect to it automatically. Smart 404 also supplies template tags which provide a list of suggestions, for use on a 404.php template page if matching content can’t be immediately discovered. By Michael Tyson.
Deactivate
User Photo 0.9.4
Allows users to associate photos with their accounts by accessing their “Your Profile” page. Uploaded images are resized to fit the dimensions specified on the options page; a thumbnail image is also generated. New template tags introduced are: userphoto_the_author_photo, userphoto_the_author_thumbnail, userphoto_comment_author_photo, and userphoto_comment_author_thumbnail. Uploaded images may be moderated by administrators. This plugin is developed at Shepherd Interactive for the benefit of the community. By Weston Ruter.
Deactivate
WP-Cumulus 1.19
Flash based Tag Cloud for WordPress By Roy Tanck.
Deactivate
There is a new version of WP-Cumulus available. View version 1.20 Details or upgrade automatically.
WP-EMail 2.40
Allows people to recommand/send your WordPress blog’s post/page to a friend. By Lester 'GaMerZ' Chan.
Deactivate
WP-o-Matic 1.0RC4-6
Enables administrators to create posts automatically from RSS/Atom feeds. By Guillermo Rauch.
Deactivate
Yet Another Related Posts Plugin 2.1.6
Returns a list of the related entries based on a unique algorithm using titles, post bodies, tags, and categories. Now with RSS feed support! By mitcho (Michael Yoshitaka Erlewine).
------------------
suggest anyone using similar config/plugins be on the lookout for similar attacks.
please post here if you suspect or discover anything similar. i will post further details once i have completed furter scans and penetration testing.