Yes, this vulnerability in MT was already being exploited. The exploits were what led to the vulnerability being discovered.
Last Saturday, on Jay Allens's MT-Blacklist forum, a user reported
that their mt-comments.cgi script was hi-jacked to send e-mail spam.
TextDrive shut down
all mt-comments.cgi scripts on their servers due to spammers attacking this vulnerability.
I was not aware that any MT sites hosted by TCH were being exploited, but it does not surprise me that there were.
The exact nature of the vulnerability is that a mailcious user can (among other things) post a comment to an MT weblog and cause comment notification e-mails to be sent to any number of recipients they choose. To exploit this hole, notifications MUST be turned on and hence the user should notice.
Let's say my install was exploited. Would there be any tell tale signs in my logs? What would I be looking for?
There would be no sign at all in your logs. The sign that your MT install was being exploited would be in your comment notification e-mails. You should see extra e-mail headers (such as BCC:) and extra e-mail addresses after the commenter's "Email Address:" listed in the notification.