Title: newexpl.php Exploit Last modified: August 18, 2016 --- # newexpl.php Exploit * [chrisod](https://wordpress.org/support/users/chrisod/) * (@chrisod) * [20 years, 11 months ago](https://wordpress.org/support/topic/newexplphp-exploit/) * My WordPress site this morning was attempting to download the above named file when I viewed it. It turns out somebody had placed some javascript on all the php pages that were chmod 666 and that javascript was attempting to load a php page that would install spyware. * Acouple of things to note. * 1. I’m a dumbass for leaving pages set to chmod 666. However, since WP specifically suggests that setting to edit templates with the editor, I suspect I’m not the only dumbass out there. The papges were changed yesterday. * 2. Thank you Firefox for not auto installing the spyware 🙂 * 3. Not much on Google about that page yet – not even sure if this is specific to WP, or any php page set to chmod 666. However, since a lot of lazy users like me probably have pages set at 666, it is likely to hit WP users. Viewing 6 replies - 1 through 6 (of 6 total) * [Firas](https://wordpress.org/support/users/firas/) * (@firas) * [20 years, 11 months ago](https://wordpress.org/support/topic/newexplphp-exploit/#post-223074) * Can you check your logs and find out exactly how they were edited and by whom? Are you sure they were editing using wp’s inbuilt editor? * [phiali](https://wordpress.org/support/users/phiali/) * (@phiali) * [20 years, 11 months ago](https://wordpress.org/support/topic/newexplphp-exploit/#post-223081) * What version of WordPress are you running? 1.5.1.2 ? * [Denis de Bernardy](https://wordpress.org/support/users/denis-de-bernardy/) * (@denis-de-bernardy) * [20 years, 11 months ago](https://wordpress.org/support/topic/newexplphp-exploit/#post-223082) * Wouldn’t this more likely come from some other user on the same server? * Thread Starter [chrisod](https://wordpress.org/support/users/chrisod/) * (@chrisod) * [20 years, 11 months ago](https://wordpress.org/support/topic/newexplphp-exploit/#post-223106) * Looking at my server logs – it looks like it was somebody logged into the same server. No evidence that it happened thru the WP admin interface, which is a good thing. It’s user error in this case 🙂 However, I do think that suggestion of chmod 666 on the template editor is dangerous, although anybody that knows how to change uxix file permissions should know better than to leave web pages as 666. * [skippy](https://wordpress.org/support/users/skippy/) * (@skippy) * [20 years, 11 months ago](https://wordpress.org/support/topic/newexplphp-exploit/#post-223107) * The problem is slightly more subtle. * In order for the WordPress file editor to work, the files need to be owned (or group owned) by the user account used by the webserver. If that’s the case, it’s relatively trivial for people hosted on the same server to leverage these permissions by writing custom scripts to edit the files… * The WordPress file editor itself shouldn’t let you load files outside of your WordPress directory, but a custom-written script could certainly do so. * The “best” solution is to remove write permission for the files when you’re using a shared host provider. Only your user account should have write permissions. This of course means that you will be unable to use the WordPress file editor. * Thread Starter [chrisod](https://wordpress.org/support/users/chrisod/) * (@chrisod) * [20 years, 11 months ago](https://wordpress.org/support/topic/newexplphp-exploit/#post-223128) * Fireftp – change permissions. Edit site Fireftp – revert permissions to 755 * That is probably still going to be less of a pain than ftping a file, making a change, ftping the file again, etc etc. Viewing 6 replies - 1 through 6 (of 6 total) The topic ‘newexpl.php Exploit’ is closed to new replies. ## Tags * [spyware](https://wordpress.org/support/topic-tag/spyware/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 6 replies * 5 participants * Last reply from: [chrisod](https://wordpress.org/support/users/chrisod/) * Last activity: [20 years, 11 months ago](https://wordpress.org/support/topic/newexplphp-exploit/#post-223128) * Status: not a support question ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics