Chris Mosby at myITforum.com

Once the vulnerability has been exploited, the script then creates the folder named 1 in the users wp-contents folder. This script then populates the created folder with a list of various spammy Web page links that are mostly related to adult sites and gambling sites. The page links were found to contain the JS script, as well.

In this blog post, the author made an analogy on the g.js script file, which was common to all affected pages. The body of the said .JS code contained the following strings:

Figure 1

Upon closer inspection, one can easily make out the Web site address http://www.preservesitecolorado.org. As of this writing, the site looked bare (see Figure 2), unlike the one described in the blog where the site showed a brief overview about the company/organization and contact information. PreserveSiteColorado.Org was purported to be hosted in China (1)(2)(3)(4)(5).

Figure 2

Hackers also flooded affected pages with links pointing to other infected sites in the comments section of the blog, consequently defacing the page itself. Below is a screenshot sample of the said defacement:

Figure 3

I attempted to search for affected pages myself with Google using the search string inurl:wp-content/1/ (see Figure 4). To date, there are now 21,800 pages purportedly affected by the exploit. If using the search string allinurl:wp-content/1 (see Figure 5), there are now 22,500 pages…and possibly rising. Note also that Google does not flag these pages as something that could potentially harm a system. Though that is the case, not clicking on any of them is still the wise course of action.

Figure 4

Figure 5

As of this writing, a fix for this vulnerability has yet to be issued by WordPress. (You may, however, find this and this useful.) As a workaround, users may want to close their registration feature. Also, be wary of third-party plug-ins you install in your blog sites.

Source: WordPress 2.3.3 Invaded by Wily JavaScript | TrendLabs | Malware Blog - by Trend Micro