WordPress MU

Eeek, am having a bit of trouble with spam email being sent through wp-comments-post.php on WPMU 1.0 - see below for description from my hosts:

---------------------------------------------

YESTERDAY: "================================================
server: server.edublogs.org
domain: edublogs.org
script: /home/edublogs/public_html/wp-comments-post.php

action: script disabled, mail queue cleaned
reason: gay porno spam

additional info: ~12.000 emails were injected into the mail queue, spam examples with full headers are located under /root/spam/1/ folder.
================================================"

TODAY: "It looks like spam is being sent out of your server using the following script: /home/edublogs/public_html/wp-comments-post.php script

There are ~20.000 emails about casino/poker which caused server load to go up to 50. The reason we suspect it's spam is because of the email addresses that the message is being sent to are Some_Garbage_Symbols@domain.com (like mru6v3r82@sixthcoyb.com for example)."

---------------------------------------------

Now... I have *no* idea how this could be being caused apart from a sneaking suspicion that subscribe to comments 2.0 (in mu-plugins) coudl have a role to play... as that (I think) invokes email 'stuff' - to use the technical term ;) - in the comments area.

Has anyone else experienced this, does anyone have any advice?

Cheers, James

How old is your version? That might be an issue?

Although I'm not sure how someone could inject THAT much to it.

It would have to be a bot, going directly to the source. Which shouldn't allowed?

The quickest thing would be to add some sort of captcha, which definitely prevents auto-posting directly to that file.

There can be several other possibilities through session vars as well. Setting one in the comments file (or adding it in through a hook), and the modifying wp-comments-post.php to verify the session var. There isn't anything passed that can be read in the source, and it's tied to the users session, so it would probably work. No session var generated from the comment page loading, no posting of anything.

If it's a bot going directly to that file, then there wouldn't be a session var set.

WPMU 1.0 plus patches.

What should my permissions be on public_html again (dozy question I know but just want to double check)?

755

If it's being exploited, dig in the logs and see what you can find. Also, might wanna bring it to Donncha's attention, and Matt as well. They have a special security related submission thing for things like that. Even without specific initial details, as soon of a heads up as possible would be better I'd think.

Then again, it may have been something that was fixed between October and January as well.

I'd at least make a backup copy of that file locally, then update that file with the most current one from trac. If you already have it, then code up that session variable thing as a quick and temporary fix.

If you need some help with it, drop me an email.

Thanx - I'll carry on looking at this and see what I can work out.

James

Okie dokie.

Have you updated Subscribe to Comments? What happened to you is rather serious! Looks like that plugin is up to 2.1 now - http://txfx.net/code/wordpress/subscribe-to-comments/

Yeh - I think it was the new version... I've just wiped it to be safe.... we shall see!