The blogs are most likely attacked by some kind of automated tool since the amounts of spam are too big to work manually on all those spam pages creation. It seems there are also spam comments in posts as well. Spam comments are pointing to internal infected blog pages in folder “1″ to get them spidered and to get people to visit them.
This issue was reported to WordPress.org, and there is an unofficial fix for this issue. The fix is based around renaming the cookies used by WordPress by default. If the exploit is hacking the cookies by mass scanning blogs, and it looks for a specific cookie name, that would stop what is out there now but it would not fix the issue.
Recommendations: Upgrade to 2.3.3 along with immediately changing any administrator passwords. Currently older WordPress versions, especially Wordress 2.1.3, attacked using “admin-ajax.php” sql injection exploit to retrieve the administrator account’s password.
Change default cookie names in your blog.
If you know more details or any other solutions, please contact us and share.
More on CyberInsecure: