WordPress 2.1.1 modified from original
Someone somehow modified some downloads of WordPress 2.1.1, so Matt announced that they’re calling the entire version dangerous. I used to wonder why the 2.0 branch is still maintained at all, considering that 2.1 is out. Perhaps this is part of the reason. The story behind this exploit is rather interesting.
This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.
It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.
This is the kind of thing you pray never happens, but it did and now we’re dealing with it as best we can. … not all downloads of 2.1.1 were affected …
I wonder who did it, and how. Security is something I always worry about on my own websites. I wish I knew more security experts, but I don’t. I try to learn it myself, but it’s rather overwhelming to do in addition to other things: it’s easily a full-time job on its own :)
One has to wonder how the hacker got into wordpress.org’s resources in the first place. Not good. Not good at all.