WordPress 2.1.1 Compromised

WordPress, a blog-publishing system written in PHP, has had a recent release of its software compromised that may allow remote code execution via a back door. While apparently limited to certain copies of 2.1.1, WordPress has since released an updated and verified version 2.1.2 and are advising people running any flavor of 2.1.1 to upgrade as soon as possible. They have also released a statement about it.

The modified code in the hacked version is contained in the following two .php files:
wp-includes\feed.php
wp-includes\themephp

These files contain instructions that can grab the parameter of the WordPress hosting service URL and pass it to either the PHP script engine or the command program of the operating system, allowing the attacker to execute a remote command on the server running the hacked version of WordPress. This includes downloading and executing other potentially malicious files on the server.

While the Web server may be running the hacked version, a user who visits a Web page on a server containing the hacked WordPress software is not at risk, so long as the server has not been compromised by other malicious threats downloaded by the back door.

WordPress makes use of a digitally signed executable file to download the main installation program as a .zip file from their Web server. While the digital signature of the executable file is valid, this is one case where it is not necessarily an indication that the files are to be trusted.

Symantec has provided detection against this threat as Hacktool.Wpixiz.