TheBang

I started seeing spam being relayed through our network, and traced the requests back to exactly the same thing that iso00 has described here.

I have confirmed the spam to have originated from blogs running WordPress 1.5, 2.1, and 2.5.1, so far. They all have the same characteristics so far. They were all POST requests to the index.php page, they all originated from 95.168.210.229. The spam mail payload is slightly different, but it’s still for a viagra pharmacy. The payload is as follows:

“Hello,

10 Days Sale Only – 10% off on everything in our store – this offer ends on Midnight January 30th.
Do not wait – Use your coupon at check out today
Your Discount Code: <b>weusduwiwoop</b>

Happy New Year!
CVS Team
“

I’ve looked at the WordPress files for several of these sites, and there really is nothing in common with them. They don’t seem to have any themes or plugins installed in common. The source code appears to be unaltered (i.e. no malicious code modifications or injections).

It’s a bit disturbing that this appears to be some long-standing function in WordPress that will happily perform the requested remote code execution. Has anyone tried the POST code that iso00 posted on a fresh, vanilla install of WordPress to verify whether this is the case?