Craig talks about how when he logged in to his admin account in WordPress he received a “High Risk Vulnerability Warning” from a spoofed WordPress domain. (The last ‘s’ in WordPress.org has been replaced by a ‘z’.) The Warning suggests upgrading to the ‘new’ version 2.6.4 of WordPress.
Downloading this ‘new’ version of WordPress I found that of the 638 files in version 2.6.4, 637 were identical to the same files in the official 2.6.3. The only difference was in the file pluggable.php.
The hacked version of the file pluggable appears to be stealing the content of cookies on larger installations of WordPress. Sophos are now detecting this file as Troj/WPHack-A.
Delving at little deeper, the rogue WordPress site’s WHOIS records show:
Created On:31-Oct-2008 01:59:20 UTC
Last Updated On:31-Oct-2008 19:27:37 UTC
Expiration Date:31-Oct-2009 01:59:20 UTC
Sponsoring Registrar:EstDomains, Inc. (R1345-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant Name:Don T. Smith
Registrant Street1:DDDD XXXXXXXX Drive
Registrant City:Fort Myers
Registrant Postal Code:DDDDD
Registrant Phone Ext.:
Registrant FAX Ext.:
Note that the date of this domains registration is three days after this letter!
Update: The Register have now also posted on this issue.