Someone brute-forced their way into the server last week, my fault for not disabling all logins to the server.
Normally, this isn’t a problem, as the default firewall setup I always use prevents any remote logins except from known-good hosts. However, this server was accidentally provided with partially missing firewall code by the hosting company, and so I couldn’t run my firewall without first upgrading the kernel. And I’d been “too busy to get around to” doing that…
Oh well. Fortunately, I had a very recent backup of the blog, and I’ve now discovered a couple of major flaws in WordPress’s backup system (note: it doesn’t bother even trying to backup your uploads, embedded images, etc) that I can now change my backup procedure to accomodate.
Apologies to anyone trying to follow the links in the last 6 hours. You were probably locked-out – I firewalled off the whole machine for a few hours to investigate how they got in and what they did once they were in. You still have to wipe all harddisks and re-install, of course, but you need first to find out how they did it, or you have no way of making sure they don’t get in again.
Oh, and I kept enough incriminating evidence to give to the police / FBI if the hosting providers manage to track down the perpetrators. One of them left his IP address in, but I’m pretty sure that was just another compromised host (have informed the large, famous, north-american telco it came from. Probably one of their naive users with a compromised windows 2k/xp box).