Support » Fixing WordPress » newexpl.php Exploit

  • My WordPress site this morning was attempting to download the above named file when I viewed it. It turns out somebody had placed some javascript on all the php pages that were chmod 666 and that javascript was attempting to load a php page that would install spyware.

    Acouple of things to note.

    1. I’m a dumbass for leaving pages set to chmod 666. However, since WP specifically suggests that setting to edit templates with the editor, I suspect I’m not the only dumbass out there. The papges were changed yesterday.

    2. Thank you Firefox for not auto installing the spyware 🙂

    3. Not much on Google about that page yet – not even sure if this is specific to WP, or any php page set to chmod 666. However, since a lot of lazy users like me probably have pages set at 666, it is likely to hit WP users.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Can you check your logs and find out exactly how they were edited and by whom? Are you sure they were editing using wp’s inbuilt editor?

    What version of WordPress are you running? 1.5.1.2 ?

    Wouldn’t this more likely come from some other user on the same server?

    Thread Starter chrisod

    (@chrisod)

    Looking at my server logs – it looks like it was somebody logged into the same server. No evidence that it happened thru the WP admin interface, which is a good thing. It’s user error in this case 🙂 However, I do think that suggestion of chmod 666 on the template editor is dangerous, although anybody that knows how to change uxix file permissions should know better than to leave web pages as 666.

    The problem is slightly more subtle.

    In order for the WordPress file editor to work, the files need to be owned (or group owned) by the user account used by the webserver. If that’s the case, it’s relatively trivial for people hosted on the same server to leverage these permissions by writing custom scripts to edit the files…

    The WordPress file editor itself shouldn’t let you load files outside of your WordPress directory, but a custom-written script could certainly do so.

    The “best” solution is to remove write permission for the files when you’re using a shared host provider. Only your user account should have write permissions. This of course means that you will be unable to use the WordPress file editor.

    Thread Starter chrisod

    (@chrisod)

    Fireftp – change permissions.
    Edit site
    Fireftp – revert permissions to 755

    That is probably still going to be less of a pain than ftping a file, making a change, ftping the file again, etc etc.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘newexpl.php Exploit’ is closed to new replies.