I have a client who has several WordPress 2.9.2 blogs that he hosts. They are getting a deface kind of hack with the Elemento_pcx exploit somehow. It drops these files in the root folder of the blog:

-rw-r--r--  1 userx userx  1459 Apr 16 04:25 default.htm
-rw-r--r--  1 userx userx  1459 Apr 16 04:25 default.php
-rw-r--r--  1 userx userx  1459 Apr 16 04:25 index.asp
-rw-r--r--  1 userx userx  1459 Apr 16 04:25 index.aspx
-rw-r--r--  1 userx userx  1459 Apr 16 04:25 index.htm
-rw-r--r--  1 userx userx  1459 Apr 16 04:25 index.html
-rwxr-xr-x  1 userx userx  1459 Apr 16 04:25 index.php*

It overwrites index.php. A keyword inside each file is "Elemento_pcx". It shows a white fist with a black background and the phrase "HACKED" in bold letters above it.

We cannot determine how it gets in to do what it does. The wp-admin password isn't hard, but it's also not very easy either. I'll change it up a little to show you what the password sort of looks like: wviking10. Do you think it's using an engine to crack the password? If so, how come our server logs aren't flooded with wp-admin requests as it runs down a random password list?

The wp-content folder has no changes inside it, but is run as chmod 777 because wp-cache required it. Also, the wp-content/cache folder is run as chmod 777 too.