Hi this is the third time I have experienced this and I'm looking for what could be causing it and how to stop it.

This only happens on the websites that I have hosted with MT, no others.

This morning, when I woke up two of my MT powered sites had been hacked. On the pages there had been a link added to either a crack, mp3 or some type of warez. Also, when you first go to the sites it tried to download a file called "xpl.wmf".

Every time it happens I changed my passwords to something outrageously different, but it happens again.

It is resolved by rebuilding the site. So whatever is causing it is putting the information right into the static template files like on the webserver/ftp, not i nthe database.

I just need it to stop happening. Has this happened to anyone else?

I have only one "evil" looking referrer in my logs, which is http://wareztotal.com.ar. It tried a whois on it but got nothing.

But hey, I also have referals from Vogue UK..... haha yeah right.

This has apparently happened to lots of people using phpbb. I've reported it to my host, but not sure what else I can do.

Lindsey

Please see these articles from Learning Movable Type:
http://www.learningmovabletype.com/announc...822attacked.php
http://www.learningmovabletype.com/announc...to_attacked.php

The same thing happened to all 4 blogs running off of my MT install at 2mhost.com. Same symptoms - and a rebuild fixed the problem. I'll check out these articles mentioned.

This just happened to me too ... but only "lightly"; they overwrote one file (MT.SSI) which normally generates the right hand column of links.

I don't understand why the permissions of MT created files is 666 (allowing anyone to overwrite them) instead of 644? Seems to me if the file was 644, it couldn't have been overwritten. What am I missing?

Not all web hosts configure things so that the web server runs as your user. When that is the case, the only way Movable Type (who runs as the web server user) can write files in your directory is for the permissions to be opened up. That said, the 3.31 mt-check.cgi will let you know if you're running under cgiwrap or suexec which will allow you to tighten down the permissions as mentioned in the above links.