Dear friends,
My MT 2.661 system got hacked yesterday, when somehow, someone used list_command.php to send out thousands of spam messages through Majordomo. The following log entries from my server (domain name removed for security reasons) show the frequency that this script is being posted to from many IP addresses.

124.51.183.147 - - [02/Apr/2007:18:23:24 -0500] "POST /news/list_command.php HTTP/1.1" 302 - "http://www.xyz.com/" "-"
193.95.15.13 - - [02/Apr/2007:18:30:53 -0500] "POST /news/list_command.php HTTP/1.1" 302 - "http://www. xyz.com/news/list_command.php" "-"
124.51.183.147 - - [02/Apr/2007:18:32:11 -0500] "POST /news/list_command.php HTTP/1.1" 302 - "http://www. xyz.com/" "-"
58.85.145.115 - - [02/Apr/2007:18:36:36 -0500] "POST http://www. xyz.com/news/list_command.php HTTP/1.1" 302 - "http://www. xyz.com/" "-"

The top three domains that used/hacked the list_command.php script are:

1) 125.248.158.186 (Korea)
2) 211.136.202.18 (China)
3) 200.238.102.162 (Brazil)

As this is clearly a blatant exploitation of my MT version - that I used flawlessly for years - now I'm forced to buy a full-fledged version. My question is: does the commercial and most recent version have a change of code, so to avoid completely the exploitation of list_command.php script?

Any help would be greatly appreciated!

Are you sure you're in the right place?

MT didn't have a single line of PHP code in it prior to 3.2, doesn't include a file named list_command.php, and I can't think of any reason it would or could talk to Majordomo.

This tutorial describes a list_command.php script file which can be created specifically to allow users to subscribe and unsubscribe to a Majordomo mailing list.

So, it looks like something you (or someone else with access to your server) must have created for that purpose; and if it's being exploited, your best bet for a solution is going to be a forum devoted to either Majordomo or PHP.