WordPress: security alert

As many people, I received at the beginning of the week, a mail telling me that the password of the admin account of my blog, was reset. Big stress: connection to blog, quick check that everything is there, change the password of the admin account, change the password of my email accounts, checking files dates …
Nothing changed, but many questions remained, until the release of WordPress 2.8.4 gives us the response.

Initially, I didn’t find anything at WordPress level, so I continued my investigation at Apache level, to understand what happened. I received the message at 09:23AM, so I get the access.log file on the Web server, to find a trace of a possible access. I found this:

80.92.64.98 - - [11/Aug/2009:09:23:53 +0200] "GET /wp-login.php?action=rp&key[]= HTTP/1.1" 302 5 www.emmanuelgeorjon.com "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2" "-"
80.92.64.98 - - [11/Aug/2009:09:23:54 +0200] "GET /wp-login.php?checkemail=newpass HTTP/1.1" 200 1346 www.emmanuelgeorjon.com "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2" "-"
80.92.64.98 - - [11/Aug/2009:09:23:54 +0200] "GET /wp-admin/css/login.css?ver=20090514 HTTP/1.1" 200 2164 www.emmanuelgeorjon.com "http://www.emmanuelgeorjon.com/wp-login.php?checkemail=newpass" "Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2" "-"

So there was a real attack, that leads to a reset of the wp-admin password. Without additional information, I stopped the study at this level.

Less than a day after was published the version 2.8.4 of WordPress, and also some explanations.

No real danger in fact, but these version 2.8 is finally more vulnerable than the 2.7. We have already 2 security updates since its official release, less than two months ago.