I seems some people are reporting issues with their WordPress 2.7.x sites being injected with some nasty java code.
Rogi has pointed out this thread on the WordPress support forums which makes mention of a few instances where multiple sites were hit by the same IP as per their access logs, at exactly the same time that their header files were changed.
Might be worth blocking the offending IP range 87.118.120.x until this gets sorted.
However, if the offender changes IP, or shares his script with the world this will be not much more than a false sense of security…
If you choose to filter the IP block, you can do so in your .htaccess file by adding the following lines to the end of the file:
order allow,deny
deny from 87.118.120.
allow from all
Update: This site has some good information regarding this exploit, and mentions:
… It appears that the exploit is fixed in versions of WordPress beyond 2.6.5, but that the WP Super Cache plug-in continues to allow the exploit somehow.
Also of note, photocritic.org recommends the following for hardening your WordPress installs :
If you’re affected by this, fix the issue, and then read Hardening WordPress and Did your WordPress Site get Hacked – both of which give a lot of starting points for research into how you can stop this happening again.
Going to take a look at this myself….
Take it from the horse’s mouth. Photocritic got it wrong. The bug in WordPress that WP Super Cache exposed was fixed in 2.6.5. Supercache doesn’t allow the exploit to continue because it’s fixed.
If there is a bug and it’s not just blogs that were exploited before they upgraded, it’s not that rss feed bug.