SOLVED cpanel login after AnonmousFox hack

1

123Host

Well-Known Member
Apr 24, 2015
45
13
58
USA
cPanel Access Level
Root Administrator
After an attack by AnonymousFox, with a lot of effort, I have regained control of the server.

If I try to login to cpanel directly from WHMCS I get in no worries.

However if I try to login from the login page it fails with
Code: 
A network error occurred during your login request. Please try again. If this condition persists, contact your network service provider.
the log /usr/local/cpanel/logs/error_log shows

Code: 
    cpsrvd 3270daefd1ff: Failed to lookup the password file entry for the user âfoxâ

    [2020-01-23 18:08:45 +1000] info [cpaneld] Internal Server Error: "POST /login/?login_only=1 HTTP/1.1" 500 Error ID 3270daefd1ff
somewhere, no matter which user name I try, it seems to be attempting to get in as the user "fox"

I can't find anything in /etc/passwd that would cause this, all users seem to be there.

Any ideas on what is happening here and how to solve it?
 
1

123Host

Well-Known Member
Apr 24, 2015
45
13
58
USA
cPanel Access Level
Root Administrator
I just found /var/cpanel/pw.cache/2:1391

the content is

{"VERSION":"1.01","cachetime":1579644017,"contents":["fox","$6$BOdRNoFC$XcYWiJ.DIfoGxh214qK1GrQtnMS2j/6gcY5P5oBu7q.0Q3rAUn4nNR2gARMmxTv/3No1nJ.LJ2S/OP0G9js/81","1391","1392","","","","/home/fox","/bin/bash","7","18282",1579644017,1579691683],"hcachetime":1579691683}

there is no directory /home/fox
 
1

123Host

Well-Known Member
Apr 24, 2015
45
13
58
USA
cPanel Access Level
Root Administrator
OK...this may help someone else down the track. A lot of grep-ing and I eventually discovered /var/cpanel/resellers had a single line "fox:all"

Removing that line gave me full access again.
 
  • Like
Reactions: bloatedstoat
keat63

keat63

Well-Known Member
Nov 20, 2014
1,961
267
113
cPanel Access Level
Root Administrator
Do you use wordpress by any chance.
Keen to know what this hack is I came across a number of references to wordpress,
 
Last edited:
1

123Host

Well-Known Member
Apr 24, 2015
45
13
58
USA
cPanel Access Level
Root Administrator
I am pretty certain it was a wordpress hack. Stupid me, I had a wordpres site on the same account as WHMCS so once they got in via WP they got into WHMCS and ended up with root access. WHMCS is now isolated.

It has been a very painful 24 hours but looks like it is all over apart from cleaning up as the Imunify360 scan finds infected files.
 
Kent Brockman

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,335
75
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Hi everybody. Is there any useful link you guys can provide on how to prevent anonymousfox from breaking in? If it enters by injecting executable files thru vulnerable WordPress plugins, it does mean that cPanel have a vulnerability allowing injected files to get root access.
It is exploiting a bug in cPanel? or is there any current WHM configuration you can enforce to prevent that?

Thanks in advance
 
cPanelLauren

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,300
363
Houston
The anonymousfox vulnerability, caused by running vulnerable scripts on a cPanel account does not allow for root access @kentbrockman
Allowing vulnerable content on the server which in turn allows a way for an attacker to obtain access to the cPanel password reset does not constitute a bug.

What ultimately should be done here is remove the vulnerable content. You can also disable password resets for cPanel accounts to eliminate the ability for an attacker taking advantage of a vulnerable script to be able to reset the contact email and in turn reset the password, but if you don't get rid of the vulnerability they can continue to manipulate data in other ways. The issue needs to be resolved at the root of it, addressing symptoms of an issue will only get you so far.
 
  • Like
Reactions: Kent Brockman
Kent Brockman

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,335
75
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
cPanelLauren said:
You can also disable password resets for cPanel accounts to eliminate the ability for an attacker taking advantage of a vulnerable script to be able to reset the contact email and in turn reset the password,...
Click to expand...
Thanks Lauren. I know you must attack the root causes, but in a shared scenario with hundreds to thousands of websites spread across lots of servers, you obviously cannot be fully aware of what every customer upload or if security measures are in place.

I will disable password recovery and that should help a lot, yes. Thanks for the tip, that's the kind of idea I was looking for!
 
S

smallhoster

Registered
Oct 1, 2020
1
0
1
Michigan
cPanel Access Level
Root Administrator
Looks like this Anonymousfox hack has hit us too. Not sure how it started but we've been battling it with the help of our provider for a while. Constantly changing the password didn't help.

Thanks for the clue to look up .contactemail file for the email address. We've also turned off password recovery. However, they continue to still login.

So far only one account is left that keeps getting hacked into. Today we've tried turning on 2FA just for that account. AND disable File Manager for all accounts.

Imunity360 has been a lifesaver to immediately deal with the PHP uploads.
 
Kent Brockman

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,335
75
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
I guess we all here are tired of this AnonymousFox thing. Well, I want to share what's working for us. Implement it and this will be a shot in the knees for this virus.

1) Disable password reset.
2) On WHM list your accounts sorted by contact email, and try to determine if non-sensical addresses are present. Double check and fix what you consider wrong, as they may be already modified.
3) On Apache Configuration, enable Apache Symlink Protection (beware: you need FollowSymlinks and SymLinksIfOwnerMatch active first).
4) On Apache Configuration > Include Editor > Post VirtualHost Include > All Versions, add the below sequence, which are the iThemes htaccess filters, which will stop the most common forms of virus and backdoors with a shot in their feet.
5) Run Imunify AV, even the free version is enough, in all of your accounts, with RapidScan and Binary (ELF) malware detection both enabled, and delete/clean infected files.

These are the htaccess filters mentioned in step 4:

Apache config: 
# BEGIN iThemes Security - No modifiques ni borres esta línea
# iThemes Security Config Details: 2
    # Pasar a través de la cabecera de autorización.
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTP:Authorization} ^(.*)
        RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
    </IfModule>

    # Activar la característica de lista de bloqueo de HackRepair.com - Seguridad > Ajustes > Usuarios prohibidos > Lista de bloqueo por defecto
    # Start HackRepair.com Blacklist
    RewriteEngine on
    # Start Custom Agent Blocking
    RewriteCond %{HTTP_USER_AGENT} "^SemrushBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^AhrefsBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^bingbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^PetalBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^DotBot" [NC,OR]
    # End Custom Agent Blocking
    # Start Abuse Agent Blocking
    RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*Indy" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*NEWT" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Maxthon$" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SeaMonkey$" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Acunetix" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^binlar" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^BlackWidow" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Bolt 0" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^BOT for JCE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Bot mailto\:[email protected]\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^casper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^checkprivacy" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^ChinaClaw" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^clshttp" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^cmsworldmap" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Custo" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Default Browser 0" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^diavol" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^DIIbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^DISCo" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^dotbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Download Demon" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^eCatch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EirGrabber" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EmailCollector" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EmailSiphon" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EmailWolf" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Express WebPictures" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^extract" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^ExtractorPro" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EyeNetIE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^feedfinder" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^FHscan" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^FlashGet" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^flicky" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^g00g1e" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^GetRight" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^GetWeb\!" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Go\!Zilla" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Go\-Ahead\-Got\-It" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^grab" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^GrabNet" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Grafula" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^harvest" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^HMView" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Image Stripper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Image Sucker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^InterGET" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Internet Ninja" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^InternetSeer\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^jakarta" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Java" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^JetCar" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^JOC Web Spider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^kanagawa" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^kmccrew" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^larbin" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^LeechFTP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^libwww" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Mass Downloader" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^microsoft\.url" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^MIDown tool" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^miner" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Mister PiX" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^MSFrontPage" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Navroad" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NearSite" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Net Vampire" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NetAnts" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NetSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NetZIP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^nutch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Octopus" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Offline Explorer" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Offline Navigator" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^PageGrabber" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Papa Foto" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^pavuk" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^pcBrowser" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^PeoplePal" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^planetwork" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^psbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^purebot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^pycurl" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^RealDownload" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^ReGet" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Rippers 0" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^sitecheck\.internetseer\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SiteSnagger" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^skygrid" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SmartDownload" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^sucker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SuperBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SuperHTTP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Surfbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^tAkeOut" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Teleport Pro" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Toata dragostea mea pentru diavola" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^turnit" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^vikspider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^VoidEYE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Web Image Collector" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebAuto" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebBandit" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebCopier" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebFetch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebGo IS" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebLeacher" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebReaper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebSauger" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Website eXtractor" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Website Quester" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebStripper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebWhacker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebZIP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Widow" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WPScan" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WWW\-Mechanize" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WWWOFFLE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Xaldon WebSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Zeus" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^zmeu" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "360Spider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "CazoodleBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "discobot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "EasouSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ecxi" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "GT\:\:WWW" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "heritrix" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "HTTP\:\:Lite" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "HTTrack" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ia_archiver" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "id\-search" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "IDBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Indy Library" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "IRLbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ISC Systems iRc Search 2\.1" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "LinksCrawler" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "LinksManager\.com_bot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "linkwalker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "lwp\-trivial" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "MFC_Tear_Sample" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Microsoft URL Control" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Missigua Locator" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "MJ12bot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "panscient\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "PECL\:\:HTTP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "PHPCrawl" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "PleaseCrawl" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "SBIder" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "SearchmetricsBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Snoopy" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Steeler" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "URI\:\:Fetch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "urllib" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Web Sucker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "webalta" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "WebCollage" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Wells Search II" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "WEP Search" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "XoviBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "YisouSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "zermelo" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ZyBorg" [NC,OR]
    # End Abuse Agent Blocking
    # Start Abuse HTTP Referrer Blocking
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?semalt\.com" [NC,OR]
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?kambasoft\.com" [NC,OR]
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?savetubevideo\.com" [NC]
    # End Abuse HTTP Referrer Blocking
    RewriteRule ^.* - [F,L]
    # End HackRepair.com Blacklist, http://pastebin.com/u/hackrepair

    # Desactivar XML-RPC - Seguridad > Ajustes > Ajustes WordPress > XML-RPC
    <files xmlrpc.php>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>

    # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema
    <files .htaccess>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>
    <files wp-config.php>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>

    # Desactivar navegación por directorio - Seguridad > Ajustes > Sistema de ajustes > Navegación por directorio
    Options -Indexes

    <IfModule mod_rewrite.c>
        RewriteEngine On

        # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema
        RewriteRule ^wp-admin/install\.php$ - [F]
        RewriteRule ^wp-admin/includes/ - [F]
        RewriteRule !^wp-includes/ - [S=3]
        RewriteRule ^wp-includes/[^/]+\.php$ - [F]
        RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
        RewriteRule ^wp-includes/theme-compat/ - [F]
        RewriteCond %{REQUEST_FILENAME} -f
        RewriteRule (^|.*/)\.(git|svn)/.* - [F]

        # Desactivar PHP en Uploads - Seguridad > Ajustes > Ajustes del sistema > PHP en Uploads
        RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

        # Desactivar PHP en los Plugins - Seguridad > Ajustes > Mejoras del sistema > PHP en Plugins
        RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

        # Desactivar PHP en Temas - Seguridad > Ajustes > Mejoras del sistema > PHP en Temas
        RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

        # Filtrar cadenas de consulta sospechosas en la URL - Seguridad > Ajustes > Ajustes del sistema > Cadenas de consulta sospechosas
        RewriteCond %{QUERY_STRING} \.\.\/ [OR]
        RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
        RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
        RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
        RewriteCond %{QUERY_STRING} ftp: [NC,OR]
        RewriteCond %{QUERY_STRING} https?: [NC,OR]
        RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR]
        RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
        RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR]
        RewriteCond %{QUERY_STRING} %24&x [NC,OR]
        RewriteCond %{QUERY_STRING} 127\.0 [NC,OR]
        RewriteCond %{QUERY_STRING} (^|\W)(globals|encode|localhost|loopback)($|\W) [NC,OR]
        RewriteCond %{QUERY_STRING} (^|\W)(concat|insert|union|declare)($|\W) [NC,OR]
        RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC]
        RewriteCond %{QUERY_STRING} !^loggedout=true
        RewriteCond %{QUERY_STRING} !^action=jetpack-sso
        RewriteCond %{QUERY_STRING} !^action=rp
        RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_
        RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com
        RewriteRule ^.* - [F]

    </IfModule>
# END iThemes Security - No modifiques ni borres esta línea
Sorry, it's in spanish my native locale.
Feel free to use it all or pick segments of interest. The most important parts are: blockage of XMLRPC and remote PHP execution of files within plugins/themes/uploads.

Hope this help others to stop this and other virii.
Fixes and improvements are more than welcomed.

Good luck people.
 
  • Like
Reactions: weaperu
L

lumorux

Registered
Oct 23, 2020
2
0
1
Costa Rica
cPanel Access Level
Website Owner
Kent Brockman said:
I guess we all here are tired of this AnonymousFox thing. Well, I want to share what's working for us. Implement it and this will be a shot in the knees for this virus.

1) Disable password reset.
2) On WHM list your accounts sorted by contact email, and try to determine if non-sensical addresses are present. Double check and fix what you consider wrong, as they may be already modified.
3) On Apache Configuration, enable Apache Symlink Protection (beware: you need FollowSymlinks and SymLinksIfOwnerMatch active first).
4) On Apache Configuration > Include Editor > Post VirtualHost Include > All Versions, add the below sequence, which are the iThemes htaccess filters, which will stop the most common forms of virus and backdoors with a shot in their feet.
5) Run Imunify AV, even the free version is enough, in all of your accounts, with RapidScan and Binary (ELF) malware detection both enabled, and delete/clean infected files.

These are the htaccess filters mentioned in step 4:

Apache config: 
# BEGIN iThemes Security - No modifiques ni borres esta línea
# iThemes Security Config Details: 2
    # Pasar a través de la cabecera de autorización.
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTP:Authorization} ^(.*)
        RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
    </IfModule>

    # Activar la característica de lista de bloqueo de HackRepair.com - Seguridad > Ajustes > Usuarios prohibidos > Lista de bloqueo por defecto
    # Start HackRepair.com Blacklist
    RewriteEngine on
    # Start Custom Agent Blocking
    RewriteCond %{HTTP_USER_AGENT} "^SemrushBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^AhrefsBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^bingbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^PetalBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^DotBot" [NC,OR]
    # End Custom Agent Blocking
    # Start Abuse Agent Blocking
    RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*Indy" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*NEWT" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Maxthon$" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SeaMonkey$" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Acunetix" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^binlar" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^BlackWidow" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Bolt 0" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^BOT for JCE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Bot mailto\:[email protected]\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^casper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^checkprivacy" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^ChinaClaw" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^clshttp" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^cmsworldmap" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Custo" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Default Browser 0" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^diavol" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^DIIbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^DISCo" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^dotbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Download Demon" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^eCatch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EirGrabber" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EmailCollector" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EmailSiphon" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EmailWolf" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Express WebPictures" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^extract" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^ExtractorPro" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EyeNetIE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^feedfinder" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^FHscan" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^FlashGet" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^flicky" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^g00g1e" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^GetRight" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^GetWeb\!" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Go\!Zilla" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Go\-Ahead\-Got\-It" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^grab" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^GrabNet" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Grafula" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^harvest" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^HMView" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Image Stripper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Image Sucker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^InterGET" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Internet Ninja" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^InternetSeer\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^jakarta" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Java" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^JetCar" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^JOC Web Spider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^kanagawa" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^kmccrew" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^larbin" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^LeechFTP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^libwww" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Mass Downloader" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^microsoft\.url" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^MIDown tool" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^miner" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Mister PiX" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^MSFrontPage" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Navroad" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NearSite" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Net Vampire" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NetAnts" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NetSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NetZIP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^nutch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Octopus" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Offline Explorer" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Offline Navigator" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^PageGrabber" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Papa Foto" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^pavuk" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^pcBrowser" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^PeoplePal" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^planetwork" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^psbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^purebot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^pycurl" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^RealDownload" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^ReGet" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Rippers 0" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^sitecheck\.internetseer\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SiteSnagger" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^skygrid" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SmartDownload" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^sucker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SuperBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SuperHTTP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Surfbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^tAkeOut" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Teleport Pro" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Toata dragostea mea pentru diavola" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^turnit" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^vikspider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^VoidEYE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Web Image Collector" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebAuto" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebBandit" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebCopier" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebFetch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebGo IS" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebLeacher" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebReaper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebSauger" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Website eXtractor" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Website Quester" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebStripper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebWhacker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebZIP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Widow" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WPScan" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WWW\-Mechanize" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WWWOFFLE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Xaldon WebSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Zeus" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^zmeu" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "360Spider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "CazoodleBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "discobot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "EasouSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ecxi" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "GT\:\:WWW" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "heritrix" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "HTTP\:\:Lite" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "HTTrack" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ia_archiver" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "id\-search" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "IDBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Indy Library" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "IRLbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ISC Systems iRc Search 2\.1" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "LinksCrawler" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "LinksManager\.com_bot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "linkwalker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "lwp\-trivial" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "MFC_Tear_Sample" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Microsoft URL Control" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Missigua Locator" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "MJ12bot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "panscient\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "PECL\:\:HTTP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "PHPCrawl" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "PleaseCrawl" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "SBIder" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "SearchmetricsBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Snoopy" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Steeler" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "URI\:\:Fetch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "urllib" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Web Sucker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "webalta" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "WebCollage" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Wells Search II" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "WEP Search" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "XoviBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "YisouSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "zermelo" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ZyBorg" [NC,OR]
    # End Abuse Agent Blocking
    # Start Abuse HTTP Referrer Blocking
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?semalt\.com" [NC,OR]
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?kambasoft\.com" [NC,OR]
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?savetubevideo\.com" [NC]
    # End Abuse HTTP Referrer Blocking
    RewriteRule ^.* - [F,L]
    # End HackRepair.com Blacklist, http://pastebin.com/u/hackrepair

    # Desactivar XML-RPC - Seguridad > Ajustes > Ajustes WordPress > XML-RPC
    <files xmlrpc.php>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>

    # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema
    <files .htaccess>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>
    <files wp-config.php>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>

    # Desactivar navegación por directorio - Seguridad > Ajustes > Sistema de ajustes > Navegación por directorio
    Options -Indexes

    <IfModule mod_rewrite.c>
        RewriteEngine On

        # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema
        RewriteRule ^wp-admin/install\.php$ - [F]
        RewriteRule ^wp-admin/includes/ - [F]
        RewriteRule !^wp-includes/ - [S=3]
        RewriteRule ^wp-includes/[^/]+\.php$ - [F]
        RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
        RewriteRule ^wp-includes/theme-compat/ - [F]
        RewriteCond %{REQUEST_FILENAME} -f
        RewriteRule (^|.*/)\.(git|svn)/.* - [F]

        # Desactivar PHP en Uploads - Seguridad > Ajustes > Ajustes del sistema > PHP en Uploads
        RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

        # Desactivar PHP en los Plugins - Seguridad > Ajustes > Mejoras del sistema > PHP en Plugins
        RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

        # Desactivar PHP en Temas - Seguridad > Ajustes > Mejoras del sistema > PHP en Temas
        RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

        # Filtrar cadenas de consulta sospechosas en la URL - Seguridad > Ajustes > Ajustes del sistema > Cadenas de consulta sospechosas
        RewriteCond %{QUERY_STRING} \.\.\/ [OR]
        RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
        RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
        RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
        RewriteCond %{QUERY_STRING} ftp: [NC,OR]
        RewriteCond %{QUERY_STRING} https?: [NC,OR]
        RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR]
        RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
        RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR]
        RewriteCond %{QUERY_STRING} %24&x [NC,OR]
        RewriteCond %{QUERY_STRING} 127\.0 [NC,OR]
        RewriteCond %{QUERY_STRING} (^|\W)(globals|encode|localhost|loopback)($|\W) [NC,OR]
        RewriteCond %{QUERY_STRING} (^|\W)(concat|insert|union|declare)($|\W) [NC,OR]
        RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC]
        RewriteCond %{QUERY_STRING} !^loggedout=true
        RewriteCond %{QUERY_STRING} !^action=jetpack-sso
        RewriteCond %{QUERY_STRING} !^action=rp
        RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_
        RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com
        RewriteRule ^.* - [F]

    </IfModule>
# END iThemes Security - No modifiques ni borres esta línea
Sorry, it's in spanish my native locale.
Feel free to use it all or pick segments of interest. The most important parts are: blockage of XMLRPC and remote PHP execution of files within plugins/themes/uploads.

Hope this help others to stop this and other virii.
Fixes and improvements are more than welcomed.

Good luck people.
Click to expand...
Hola Kent,

Me podrías ayudar con unas dudas?
 
Kent Brockman

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,335
75
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
lumorux said:
Hola Kent,

Me podrías ayudar con unas dudas?
Click to expand...
Yes! Send me a private message, or even better, publish your questions here, in english, so that others can benefit from the answer.
(Sí! Enviame un mensaje privado, o incluso mejor, publicá la consulta aquí, en inglés, así a otros también les puede servir la respuesta.)
 
L

lumorux

Registered
Oct 23, 2020
2
0
1
Costa Rica
cPanel Access Level
Website Owner
Kent Brockman said:
Yes! Send me a private message, or even better, publish your questions here, in english, so that others can benefit from the answer.
(Sí! Enviame un mensaje privado, o incluso mejor, publicá la consulta aquí, en inglés, así a otros también les puede servir la respuesta.)
Click to expand...
Soy nuevo acá, cómo te envío un mensaje privado?
 
sahostking

sahostking

Well-Known Member
May 15, 2012
403
29
78
Cape Town, South Africa
cPanel Access Level
Root Administrator
Twitter
Kent Brockman said:
I guess we all here are tired of this AnonymousFox thing. Well, I want to share what's working for us. Implement it and this will be a shot in the knees for this virus.

1) Disable password reset.
2) On WHM list your accounts sorted by contact email, and try to determine if non-sensical addresses are present. Double check and fix what you consider wrong, as they may be already modified.
3) On Apache Configuration, enable Apache Symlink Protection (beware: you need FollowSymlinks and SymLinksIfOwnerMatch active first).
4) On Apache Configuration > Include Editor > Post VirtualHost Include > All Versions, add the below sequence, which are the iThemes htaccess filters, which will stop the most common forms of virus and backdoors with a shot in their feet.
5) Run Imunify AV, even the free version is enough, in all of your accounts, with RapidScan and Binary (ELF) malware detection both enabled, and delete/clean infected files.

These are the htaccess filters mentioned in step 4:

Apache config: 
# BEGIN iThemes Security - No modifiques ni borres esta línea
# iThemes Security Config Details: 2
    # Pasar a través de la cabecera de autorización.
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTP:Authorization} ^(.*)
        RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
    </IfModule>

    # Activar la característica de lista de bloqueo de HackRepair.com - Seguridad > Ajustes > Usuarios prohibidos > Lista de bloqueo por defecto
    # Start HackRepair.com Blacklist
    RewriteEngine on
    # Start Custom Agent Blocking
    RewriteCond %{HTTP_USER_AGENT} "^SemrushBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^AhrefsBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^bingbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^PetalBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^DotBot" [NC,OR]
    # End Custom Agent Blocking
    # Start Abuse Agent Blocking
    RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*Indy" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*NEWT" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Maxthon$" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SeaMonkey$" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Acunetix" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^binlar" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^BlackWidow" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Bolt 0" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^BOT for JCE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Bot mailto\:[email protected]\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^casper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^checkprivacy" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^ChinaClaw" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^clshttp" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^cmsworldmap" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Custo" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Default Browser 0" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^diavol" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^DIIbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^DISCo" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^dotbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Download Demon" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^eCatch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EirGrabber" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EmailCollector" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EmailSiphon" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EmailWolf" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Express WebPictures" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^extract" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^ExtractorPro" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EyeNetIE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^feedfinder" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^FHscan" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^FlashGet" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^flicky" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^g00g1e" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^GetRight" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^GetWeb\!" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Go\!Zilla" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Go\-Ahead\-Got\-It" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^grab" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^GrabNet" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Grafula" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^harvest" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^HMView" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Image Stripper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Image Sucker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^InterGET" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Internet Ninja" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^InternetSeer\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^jakarta" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Java" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^JetCar" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^JOC Web Spider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^kanagawa" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^kmccrew" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^larbin" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^LeechFTP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^libwww" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Mass Downloader" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^microsoft\.url" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^MIDown tool" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^miner" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Mister PiX" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^MSFrontPage" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Navroad" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NearSite" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Net Vampire" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NetAnts" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NetSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NetZIP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^nutch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Octopus" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Offline Explorer" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Offline Navigator" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^PageGrabber" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Papa Foto" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^pavuk" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^pcBrowser" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^PeoplePal" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^planetwork" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^psbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^purebot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^pycurl" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^RealDownload" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^ReGet" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Rippers 0" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^sitecheck\.internetseer\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SiteSnagger" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^skygrid" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SmartDownload" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^sucker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SuperBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SuperHTTP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Surfbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^tAkeOut" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Teleport Pro" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Toata dragostea mea pentru diavola" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^turnit" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^vikspider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^VoidEYE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Web Image Collector" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebAuto" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebBandit" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebCopier" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebFetch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebGo IS" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebLeacher" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebReaper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebSauger" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Website eXtractor" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Website Quester" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebStripper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebWhacker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebZIP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Widow" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WPScan" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WWW\-Mechanize" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WWWOFFLE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Xaldon WebSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Zeus" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^zmeu" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "360Spider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "CazoodleBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "discobot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "EasouSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ecxi" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "GT\:\:WWW" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "heritrix" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "HTTP\:\:Lite" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "HTTrack" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ia_archiver" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "id\-search" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "IDBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Indy Library" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "IRLbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ISC Systems iRc Search 2\.1" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "LinksCrawler" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "LinksManager\.com_bot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "linkwalker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "lwp\-trivial" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "MFC_Tear_Sample" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Microsoft URL Control" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Missigua Locator" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "MJ12bot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "panscient\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "PECL\:\:HTTP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "PHPCrawl" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "PleaseCrawl" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "SBIder" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "SearchmetricsBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Snoopy" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Steeler" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "URI\:\:Fetch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "urllib" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Web Sucker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "webalta" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "WebCollage" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Wells Search II" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "WEP Search" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "XoviBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "YisouSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "zermelo" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ZyBorg" [NC,OR]
    # End Abuse Agent Blocking
    # Start Abuse HTTP Referrer Blocking
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?semalt\.com" [NC,OR]
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?kambasoft\.com" [NC,OR]
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?savetubevideo\.com" [NC]
    # End Abuse HTTP Referrer Blocking
    RewriteRule ^.* - [F,L]
    # End HackRepair.com Blacklist, http://pastebin.com/u/hackrepair

    # Desactivar XML-RPC - Seguridad > Ajustes > Ajustes WordPress > XML-RPC
    <files xmlrpc.php>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>

    # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema
    <files .htaccess>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>
    <files wp-config.php>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>

    # Desactivar navegación por directorio - Seguridad > Ajustes > Sistema de ajustes > Navegación por directorio
    Options -Indexes

    <IfModule mod_rewrite.c>
        RewriteEngine On

        # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema
        RewriteRule ^wp-admin/install\.php$ - [F]
        RewriteRule ^wp-admin/includes/ - [F]
        RewriteRule !^wp-includes/ - [S=3]
        RewriteRule ^wp-includes/[^/]+\.php$ - [F]
        RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
        RewriteRule ^wp-includes/theme-compat/ - [F]
        RewriteCond %{REQUEST_FILENAME} -f
        RewriteRule (^|.*/)\.(git|svn)/.* - [F]

        # Desactivar PHP en Uploads - Seguridad > Ajustes > Ajustes del sistema > PHP en Uploads
        RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

        # Desactivar PHP en los Plugins - Seguridad > Ajustes > Mejoras del sistema > PHP en Plugins
        RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

        # Desactivar PHP en Temas - Seguridad > Ajustes > Mejoras del sistema > PHP en Temas
        RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

        # Filtrar cadenas de consulta sospechosas en la URL - Seguridad > Ajustes > Ajustes del sistema > Cadenas de consulta sospechosas
        RewriteCond %{QUERY_STRING} \.\.\/ [OR]
        RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
        RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
        RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
        RewriteCond %{QUERY_STRING} ftp: [NC,OR]
        RewriteCond %{QUERY_STRING} https?: [NC,OR]
        RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR]
        RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
        RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR]
        RewriteCond %{QUERY_STRING} %24&x [NC,OR]
        RewriteCond %{QUERY_STRING} 127\.0 [NC,OR]
        RewriteCond %{QUERY_STRING} (^|\W)(globals|encode|localhost|loopback)($|\W) [NC,OR]
        RewriteCond %{QUERY_STRING} (^|\W)(concat|insert|union|declare)($|\W) [NC,OR]
        RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC]
        RewriteCond %{QUERY_STRING} !^loggedout=true
        RewriteCond %{QUERY_STRING} !^action=jetpack-sso
        RewriteCond %{QUERY_STRING} !^action=rp
        RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_
        RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com
        RewriteRule ^.* - [F]

    </IfModule>
# END iThemes Security - No modifiques ni borres esta línea
Sorry, it's in spanish my native locale.
Feel free to use it all or pick segments of interest. The most important parts are: blockage of XMLRPC and remote PHP execution of files within plugins/themes/uploads.

Hope this help others to stop this and other virii.
Fixes and improvements are more than welcomed.

Good luck people.
Click to expand...
I think this is awesome however I have some concerns.

On shared hosting please note blocking below may cause issues due to customers using these SEO tools for seo optimization

RewriteCond %{HTTP_USER_AGENT} "^SemrushBot" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "^AhrefsBot" [NC,OR]

Blocking PetalBot is an awesome addition as it causes high load now adays.

So edit or change what is required. I will be testing this with one client for now and see if the customer is happy. Thanks for the contribution.
 
  • Like
Reactions: Kent Brockman
Kent Brockman

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,335
75
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Yes I know about concerns regarding Semrush and Ahrefs, but I particularly DON'T CARE. If some customer open a ticket because those service cannot scan their sites, I can move that cPanel to a server where those are specifically allowed.

And in the case a customer complain about xmlrpc.php being blocked, I recommend adding an override to their .htaccess so it is allowed again:

Apache config: 
# Allow XML-RPC back again
<files xmlrpc.php>
    <IfModule mod_authz_core.c>
        Require all granted
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Allow from all
    </IfModule>
</files>
# Allow XML-RPC back again
 
J

Juan Pablo salomon

Registered
Aug 12, 2021
1
1
1
Argentina
cPanel Access Level
Root Administrator
Kent Brockman said:
Yes I know about concerns regarding Semrush and Ahrefs, but I particularly DON'T CARE. If some customer open a ticket because those service cannot scan their sites, I can move that cPanel to a server where those are specifically allowed.

And in the case a customer complain about xmlrpc.php being blocked, I recommend adding an override to their .htaccess so it is allowed again:

Apache config: 
# Allow XML-RPC back again
<files xmlrpc.php>
    <IfModule mod_authz_core.c>
        Require all granted
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Allow from all
    </IfModule>
</files>
# Allow XML-RPC back again
Click to expand...
Hi Kent, How can I contact you privately? because I need to speak in Spanish with you
 
Kent Brockman

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,335
75
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Juan Pablo salomon said:
Hi Kent, How can I contact you privately? because I need to speak in Spanish with you
Click to expand...
Go through my profile details here and you will find my website and the contact information is there. Just follow the breadcrumbs ;-)
 
T

tecneca

Registered
Dec 19, 2013
1
0
50
cPanel Access Level
Root Administrator
I have the hack in one server wit cpanel

I have disabled password restore via email, but still creating new mail accounts with smtpfox-random

I see some php files into public_html folder, and .htaccess modified.

Also, I check in /tmp dir is creating some php files; actually I have a crontab every second with delete all files in /tmp , but its not the solution, obviously.

I check users crontab at /var/log/cron but I don't see nothing
 
Kent Brockman

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,335
75
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
tecneca said:
I have the hack in one server wit cpanel

I have disabled password restore via email, but still creating new mail accounts with smtpfox-random
Click to expand...
Have you modified all the passwords? You should change cPanel/FTP passwords, also the contact email of compromised accounts.
WordPress sites are bots' targets of choice, so change admin users' passwords there too.
Also, fortify WP installs by blocking remote execution of PHP in uploads/plugins/themes folders.
 
  • Like
Reactions: cPRex
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
D Breached cPanel - multiple logged logins even with 2FA enabled Security 2
Spirogg In Progress CPANEL-40842 - Successful root login service : cron ?? Security 21
mariusfv WHM & cPanel treat all logins as invalid Security 2
M How to Block CPanel Login Subdomain Security 4
D Server Intrusion: The login shell has changed from '/usr/local/cpanel/bin/jailshell' to '/bin/bash' Security 13
Similar threads
Breached cPanel - multiple logged logins even with 2FA enabled
In Progress CPANEL-40842 - Successful root login service : cron ??
WHM & cPanel treat all logins as invalid
How to Block CPanel Login Subdomain
Server Intrusion: The login shell has changed from '/usr/local/cpanel/bin/jailshell' to '/bin/bash'
Top Bottom