We just upgraded to Mu 2.7.1 from <cough, cough> 1.3.3. All of a sudden spam blogs and users are being added to our site. This shouldn't even be possible, because we disabled public signup. We're using wpmu-ldap to create users.
Are there any known vulnerabilities in 2.7.1? If not, does anyone have any ideas as to how this might be happening?
I found this, but I haven't even been able to exploit this vulnerability on our site:
http://www.securiteam.com/securitynews/5QP0E0KRQM.html
We aren't using a ton of plugins, but I know that is one way Wordpress can be compromised, and I'm looking into that now. We're using these plugins (in case any of these pop out to anyone with known security issues):
addthis sidebar widget
akismet
blubrry powerpress
disable core update
google analytics for wordpress
more privacy options
move comments
mycss
page links to
peters custom anti spam
sidebar login
wp super cache
wpmu-ldap
youtube
As well as a few we've written ourselves, which could very well likely be the culprit.
The site code itself is repository maintained and hasn't been compromised, and at least on the filesystem end everything seems to be locked down pretty well. In addition, the spam users aren't doing anything; there are no posts or anything. Simply a spam user and blog are created in the format of a random name followed by 7 numbers, with obvious spam e-mail registration addresses. For example:
paula7229546 paula7229546@nosiliconebreasts.com
dexter5255004 dexter5255004@medicalclaimsadvocate.com
The users and blogs are created at random intervals. We've had maybe 10 of them added in the last couple of days.
Any ideas? Anyone seen this before? Any ideas on what action to take next? I'm going to spend time going through our logs, so I may have some information to add later...