I am running several wordpress blogs, all running 3.0.1
They are all getting hacked, the exploit is inserting a <scrip src="... pointing to a malware host at the bottom of all the posts in each blog.
So it looks like an sql injection hack (it would be impossible just by using a hacked wp-admin account, some of these blogs have 10,000+ posts and the hack shows up all at once on all of them.
The entire wp-admin is secured (not accessible from the outside), so the hack is not going through there, and it is also not coming through ftp. None of the core wordpress files look compromised (no base64 code anywhere), and the hack still happened after replacing all the wordpress core files with a freshly re-downloaded 3.0.1 version (and checking that no additional files where left over.)
There is only one blog that is not being hacked, and that one does not allow comments. All the others do.
So I am wondering if there is a zero-day exploit out there on the comments system in wordpress 3.0.1
It could also be due to a plugin, we're looking into that, but we've ruled out most of the plugins since there are only a couple of them that are common to all the hacked installations.
Anyone else seeing something like this?