I woke up to this email from a self-proclaimed Anonymous Security Specialist.
From: Anonymous Security Specialist Friday – April 4, 2008 10:36 PM
To: Blogger admin
Subject: Your blog’s version is old and has been hacked. Update ASAP!
Attachments: Mime.822 (4265 bytes) [View] [Save As]
This email is not an April’s fools email and it has been sent to notify you that your blog’s version is old and needs to be updated ASAP as it was hacked.
While tracking some Viagra spammers I have come accross [sic] several links coming from your blog and, after testing it, it appears your blog is 2.1.* generation hence vulnerable to SQL injection blind-fishing attacks. Search Google to learn more. In a few words: spammers can take full control of your blog in a matter of minutes and deface it at will.
These attacks are as serious as they can get as the spammers have full access to your blog and add hidden HTML elements to mask their links.
You MUST update your blog to the latest official WordPress version and manually clean your last 5-10 posts of the parasite links which you will only see in HTML view.
Not doing so may attract severe search engine penalties as you are currently linking to sites with VERY bad reputation.
Hoping you will take required action,
A.S.S. (Anonymous Security Specialist)
PS: I got your email address from your Dashboard / Users Management Section. I have warned many during the past months regarding the vulnerable blogs, being a blogger myself, but it seems I haven’t warned everyone. Lateste [sic] WordPress is secure.
PPS: Your login name is admin and password hash is **************************.
The last fact really got my attention 🙂 The reality is that he or she was right, there are a few sites that are sadly behind in terms of versions. Now, I know this person has hacked one of my sites on Bluehost to actually get my information to contact me, and I kind of like the Robin Hoodesque nature of this whole thing, plus it is a much needed reminder of how vulnerable an out-of-date open source applications can be. So take the Anonymous Security Specialist’s advice and update all your long overdue upgrades.
But I have a question, did I fall for I bigger trap by going to the sites and updating as well as searching out the spam links (which were right where they said they would be!)? Is this the purest act of altruism, or a larger game? And these last questions may realize how ignorant I am when it comes to these things, which I freely acknowledge.
Update; As Bill says in the comments, and D’Arcy said as well, this was an act of altruisnm on the part of my unnamed security adviser, which makes me love the tubes that much more. We love you Anonymous Security Specialist! Thanks for being an internet superhero 🙂