This also happened to my wordpress blog. The plugins were all disabled, the pages showed up as posts, and the admin password was changed.
The attacker was also able to upload a new theme in the wp-content dir. They were also able to explore the file system using the ‘dira’ parameter.
The same ro8kfbswmag.txt was placed in /tmp/
The initial attack showed up in the access logs
dan.smith.name 82.103.135.182 – – [05/Nov/2007:09:33:29 -0600] “GET / HTTP/1.0” 200 38326 “-” “Opera/9.23 (Windows NT 5.1; U; ru)” 195 38635
dan.smith.name 82.103.135.182 – – [05/Nov/2007:09:35:31 -0600] “GET /?piska HTTP/1.0” 200 8423 “https://localhost/wp-toolz/?mode=shell&what=2122” “Opera/9.23 (Windows NT 5.1; U; ru)” 259 8671
dan.smith.name 82.103.135.182 – – [05/Nov/2007:09:35:50 -0600] “POST /index.php?piska&dira=./ HTTP/1.0” 200 8774 “https://dan.smith.name/?piska” “Opera/9.23 (Windows NT 5.1; U; ru)” 364 9022
Please let me know if you need any additional information, and advise.
