A number of WordPress blogs around the world have been hacked (or cracked, whichever word you prefer) and a "pharmacy" subdirectory have been injected below the WordPress root. I know of these victims at the moment:
The injected web pages are advertised by fooling Yahoo! search to make a weird GET request to a totally different web site, resulting in log lines like this:
220.127.116.11 – – [29/Aug/2008:04:03:50 +0200] "GET /\"//example.com/blog/pharmacy/spam.html\" HTTP/1.0" 404 15145 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; //help.yahoo.com/help/us/ysearch/slurp)"
I really recommend every WordPress user to add at least one extra level of protection to their wp-admin subdirectory. It’s not safe.