..... and you cannot create one by the "dev/build" way.
Yes you most certainly can recreate admin members via dev/build if no members exist. You can even specify the username and password via dev/build?username=mynewuser&password=password.
I have no idea what else you can try apart from looking through the logs for the IP address. Seeing who is doing it / block that IP. And is it only the blog module - they haven't added any pages else where?. What happens if you disable the blog module (or comment out the code which allows users to write blogs on the front end)
Shot in the dark. But can you open up /mysite/_config.php and just make sure there isn't a line in there that looks like this:
If it's there, delete it.
It really sounds like you need to check your server logs on this though. You need to find out what URL they are using to post these comments (if at all). Check the datestamp on the post and try to match it up with a time in your log - they should match.
I tried logging in to the site using admin/password and that doesn't work. I also tried willrs suggestion to create a new user. That didn't work either. Seems like the CMS is still protected...
Aaron made a very good suggestion though. Look up the blog post timestamps and compare them with your access log. One should be able to tell what URL was used to create the blog posts.
Still: I'd change all the passwords of your website. Control Panel, FTP, Database (and others that might exist). Use distinct and secure passwords (obviously)
Guess that means the entries are coming across the URL - someone is able to execute the BlogEntryForm without permission!
Thats a security problem of the blog module or not?
What should I to to stop this?
Bad news everyone. I just installed the Blog module and it is indeed very vulnerable to these kinds of attacks. No login checks whatsoever are being done when form data is sent to the server.
Here's a post I just created: http://nestbau.info/testing-vulnerability/
I used the official module download. Will check if the vulnerability is still present in trunk and file a bug report.