Can you tell me more about this second backdoor you mention? Just to be on the safe side, I want to double-double-check that he didn’t leave anything that I did not discover (even though I’m pretty sure I’m covered – his /tmp backdoor did indeed fail to upload anything).

Very similar. The admin-ajax.php vulnerability was used, the backdoor was placed in /tmp, and then it was loaded as a plugin. The script looks identical too.

However, where your attacker gave up, our one was more successful. He went on to upload a second backdoor, hidden amongst some other uploads, and then attempted to edit some of the Wordpress PHP files (but was prevented).

After I removed the backdoors and changed the passwords, he still came back and tried to add links to some other compromised blogs which were hosting adverts for various pharmaceuticals. After a few days of unsuccessful attempts, he gave up.

I’ll give it a try you knever know they might listen…

I’m trying, as much as possible, to track the mainline Wordpress distribution. Otherwise each time I upgrade to fix the frequent security problems, my patches break. There is, however, a facility to browse authors posts, for example my posts are at: http://www.lightbluetouchpaper.org/author/sjmurdoch/

You could also try submitting a feature request at Wordpress. Hopefully you’ll have more luck that me with my 2 year old security vulnerability

One sugestion for a possible “enhancement”.

Currently it would appear that your search function does not include the posters name. Often this is handy when trying to find related information.

RGR