SOLVED cpanel login after AnonmousFox hack

[andrew_web]

I have the hack in one server wit cpanel

I have disabled password restore via email, but still creating new mail accounts with smtpfox-random

I see some php files into public_html folder, and .htaccess modified.

Also, I check in /tmp dir is creating some php files; actually I have a crontab every second with delete all files in /tmp , but its not the solution, obviously.

I check users crontab at /var/log/cron but I don't see nothing

I've had this problem with the anonymous fox hack over the past few months.

I couldn't see how they kept hacking the server but it seems to be a few different ways.

Some activity I saw was brute forcing Wordpress logins. There were some successful logins and they installed malicious PHP files into the Wordpress content folders. When these PHP files were run, they did a lot of damage. It may have been multiple hackers.

They modified htaccess files, created symlinks to the server root and that allowed listing all accounts on the server and they hacked every Wordpress site on the server.
Maybe I misconfigured something but I was really surprised someone was able to put a symlink mirroring my entire server into the public folder. I'd like to be able to disable symlinks and can't see how.
They setup phishing websites for Microsoft logins and I got a warning from Microsoft and had my server blacklisted. They tried to send tens of thousands of spam emails. They posted spam content onto Wordpress blogs.
They setup a wildcard domain so that multiple addresses pointed to the same hacked sites.
They managed to get a CPanel login and were using this to add SMTP accounts (smtpfox accounts).

It got to the point where I was considering blocking entire countries as the hacks were coming from Russia, China, Ukraine, Philippines etc but they have even been using AWS and Google Cloud compute servers in US and European countries, I reported some of the IPs.

After resetting every user's CPanel password and every Wordpress password, things settled down a little but I started noticing similar hacks with new PHP files. I found a compromised Wordpress site and renamed the entire directory. Something replaced parts of the directory with the hack again as soon as I moved it and similarly every time I deleted the index.php file.

Checking the user account's processes, it showed multiple php processes running. These were persistent processes that had been spawned by the hack and were designed to keep hacking the site. I had around 8 php processes running. As soon as I stopped those processes, the deleted files were no longer replaced. I assume they are putting the hack into index.php so that every website visitor would restart the persistent hacked php process. This makes it very hard to find and remove when you don't know this is happening because you keep looking for external hacks when they are keeping hacking from the inside and there's no logs for it.

My server seems to be fixed now but it has taken months to clean everything up.

The easiest way to tell if you've been hacked is to check the modification dates of the files in Wordpress folders and look for suspicious php files and changed htaccess files.
Check the access logs for Apache and the domlogs for user accounts that have been hacked.
Check the CPanel logs for successful logins from unrecognized IPs.
Use iptables or other firewall to blacklist IPs that show frequently in the logs with lots of 404 errors, they are trying to hack the server.

If a hack has taken place, reset all CPanel and Wordpress account logins and remove any anonymousfox users that have been added (check Wordpress accounts in the site databases).
Check every account for new smtp accounts and delete the smtp accounts.
Check every Wordpress folder for modified files and removed the suspicious files.
Check every user's running processes (ps -u username) to get process id number. Then inspect each process id using ps -l pid, which will show the path of the php file it was spawned from.

What a nightmare to clean up.

What would be useful is if CPanel or unix had a mechanism to easily lock down vulnerable filesystem folders or send out a warning when someone writes new files to a particular folder. I've been thinking about making a custom monitoring tool to check log files and the filesystem for suspicious changes. I installed ossec, which gives me warnings about some brute force logins but it doesn't cover Wordpress hacks, CPanel logins or file modifications out of the box.

Things I'd like to monitor are:
- what files changes were made to public_html folders per account
- what email addresses have been added
- what subdomains have been added
- lists of failed CPanel logins and Apache 404 errors
and which IPs are doing this with a country identifier

Then have the ability to easily and quickly blacklist IPs. Currently I'm pasting them manually into iptables.

CPanel could have a monitoring service if there isn't one already that reports hacks across multiple servers, feeds them into a central IP blacklist database. Each CPanel instance could retrieve the daily list of malicious IPs and block them if they choose to before they get a chance to try hacking them.

 

[rcarabelli]

I guess we all here are tired of this AnonymousFox thing. Well, I want to share what's working for us. Implement it and this will be a shot in the knees for this virus.

1) Disable password reset.
2) On WHM list your accounts sorted by contact email, and try to determine if non-sensical addresses are present. Double check and fix what you consider wrong, as they may be already modified.
3) On Apache Configuration, enable Apache Symlink Protection (beware: you need FollowSymlinks and SymLinksIfOwnerMatch active first).
4) On Apache Configuration > Include Editor > Post VirtualHost Include > All Versions, add the below sequence, which are the iThemes htaccess filters, which will stop the most common forms of virus and backdoors with a shot in their feet.
5) Run Imunify AV, even the free version is enough, in all of your accounts, with RapidScan and Binary (ELF) malware detection both enabled, and delete/clean infected files.

These are the htaccess filters mentioned in step 4:

# BEGIN iThemes Security - No modifiques ni borres esta línea
# iThemes Security Config Details: 2
    # Pasar a través de la cabecera de autorización.
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTP:Authorization} ^(.*)
        RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
    </IfModule>

    # Activar la característica de lista de bloqueo de HackRepair.com - Seguridad > Ajustes > Usuarios prohibidos > Lista de bloqueo por defecto
    # Start HackRepair.com Blacklist
    RewriteEngine on
    # Start Custom Agent Blocking
    RewriteCond %{HTTP_USER_AGENT} "^SemrushBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^AhrefsBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^bingbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^PetalBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^DotBot" [NC,OR]
    # End Custom Agent Blocking
    # Start Abuse Agent Blocking
    RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*Indy" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*NEWT" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Maxthon$" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SeaMonkey$" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Acunetix" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^binlar" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^BlackWidow" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Bolt 0" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^BOT for JCE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Bot mailto\:craftbot@yahoo\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^casper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^checkprivacy" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^ChinaClaw" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^clshttp" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^cmsworldmap" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Custo" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Default Browser 0" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^diavol" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^DIIbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^DISCo" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^dotbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Download Demon" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^eCatch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EirGrabber" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EmailCollector" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EmailSiphon" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EmailWolf" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Express WebPictures" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^extract" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^ExtractorPro" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EyeNetIE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^feedfinder" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^FHscan" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^FlashGet" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^flicky" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^g00g1e" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^GetRight" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^GetWeb\!" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Go\!Zilla" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Go\-Ahead\-Got\-It" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^grab" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^GrabNet" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Grafula" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^harvest" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^HMView" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Image Stripper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Image Sucker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^InterGET" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Internet Ninja" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^InternetSeer\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^jakarta" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Java" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^JetCar" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^JOC Web Spider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^kanagawa" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^kmccrew" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^larbin" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^LeechFTP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^libwww" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Mass Downloader" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^microsoft\.url" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^MIDown tool" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^miner" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Mister PiX" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^MSFrontPage" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Navroad" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NearSite" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Net Vampire" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NetAnts" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NetSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NetZIP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^nutch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Octopus" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Offline Explorer" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Offline Navigator" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^PageGrabber" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Papa Foto" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^pavuk" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^pcBrowser" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^PeoplePal" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^planetwork" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^psbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^purebot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^pycurl" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^RealDownload" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^ReGet" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Rippers 0" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^sitecheck\.internetseer\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SiteSnagger" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^skygrid" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SmartDownload" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^sucker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SuperBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SuperHTTP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Surfbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^tAkeOut" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Teleport Pro" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Toata dragostea mea pentru diavola" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^turnit" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^vikspider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^VoidEYE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Web Image Collector" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebAuto" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebBandit" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebCopier" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebFetch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebGo IS" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebLeacher" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebReaper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebSauger" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Website eXtractor" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Website Quester" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebStripper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebWhacker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebZIP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Widow" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WPScan" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WWW\-Mechanize" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WWWOFFLE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Xaldon WebSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Zeus" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^zmeu" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "360Spider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "CazoodleBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "discobot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "EasouSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ecxi" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "GT\:\:WWW" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "heritrix" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "HTTP\:\:Lite" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "HTTrack" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ia_archiver" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "id\-search" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "IDBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Indy Library" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "IRLbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ISC Systems iRc Search 2\.1" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "LinksCrawler" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "LinksManager\.com_bot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "linkwalker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "lwp\-trivial" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "MFC_Tear_Sample" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Microsoft URL Control" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Missigua Locator" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "MJ12bot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "panscient\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "PECL\:\:HTTP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "PHPCrawl" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "PleaseCrawl" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "SBIder" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "SearchmetricsBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Snoopy" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Steeler" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "URI\:\:Fetch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "urllib" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Web Sucker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "webalta" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "WebCollage" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Wells Search II" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "WEP Search" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "XoviBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "YisouSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "zermelo" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ZyBorg" [NC,OR]
    # End Abuse Agent Blocking
    # Start Abuse HTTP Referrer Blocking
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?semalt\.com" [NC,OR]
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?kambasoft\.com" [NC,OR]
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?savetubevideo\.com" [NC]
    # End Abuse HTTP Referrer Blocking
    RewriteRule ^.* - [F,L]
    # End HackRepair.com Blacklist, http://pastebin.com/u/hackrepair

    # Desactivar XML-RPC - Seguridad > Ajustes > Ajustes WordPress > XML-RPC
    <files xmlrpc.php>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>

    # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema
    <files .htaccess>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>
    <files wp-config.php>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>

    # Desactivar navegación por directorio - Seguridad > Ajustes > Sistema de ajustes > Navegación por directorio
    Options -Indexes

    <IfModule mod_rewrite.c>
        RewriteEngine On

        # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema
        RewriteRule ^wp-admin/install\.php$ - [F]
        RewriteRule ^wp-admin/includes/ - [F]
        RewriteRule !^wp-includes/ - [S=3]
        RewriteRule ^wp-includes/[^/]+\.php$ - [F]
        RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
        RewriteRule ^wp-includes/theme-compat/ - [F]
        RewriteCond %{REQUEST_FILENAME} -f
        RewriteRule (^|.*/)\.(git|svn)/.* - [F]

        # Desactivar PHP en Uploads - Seguridad > Ajustes > Ajustes del sistema > PHP en Uploads
        RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

        # Desactivar PHP en los Plugins - Seguridad > Ajustes > Mejoras del sistema > PHP en Plugins
        RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

        # Desactivar PHP en Temas - Seguridad > Ajustes > Mejoras del sistema > PHP en Temas
        RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

        # Filtrar cadenas de consulta sospechosas en la URL - Seguridad > Ajustes > Ajustes del sistema > Cadenas de consulta sospechosas
        RewriteCond %{QUERY_STRING} \.\.\/ [OR]
        RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
        RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
        RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
        RewriteCond %{QUERY_STRING} ftp: [NC,OR]
        RewriteCond %{QUERY_STRING} https?: [NC,OR]
        RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR]
        RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
        RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR]
        RewriteCond %{QUERY_STRING} %24&x [NC,OR]
        RewriteCond %{QUERY_STRING} 127\.0 [NC,OR]
        RewriteCond %{QUERY_STRING} (^|\W)(globals|encode|localhost|loopback)($|\W) [NC,OR]
        RewriteCond %{QUERY_STRING} (^|\W)(concat|insert|union|declare)($|\W) [NC,OR]
        RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC]
        RewriteCond %{QUERY_STRING} !^loggedout=true
        RewriteCond %{QUERY_STRING} !^action=jetpack-sso
        RewriteCond %{QUERY_STRING} !^action=rp
        RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_
        RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com
        RewriteRule ^.* - [F]

    </IfModule>
# END iThemes Security - No modifiques ni borres esta línea

Sorry, it's in spanish my native locale.
Feel free to use it all or pick segments of interest. The most important parts are: blockage of XMLRPC and remote PHP execution of files within plugins/themes/uploads.

Hope this help others to stop this and other virii.
Fixes and improvements are more than welcomed.

Good luck people.

Hello Ken, since I included this in my server jetpack accounts are not working correctly. I've checked what you've done and supposedly it should work. Do you know why? I need to use wordpress.com logins.

Thanks!

 

[weaperu]

I guess we all here are tired of this AnonymousFox thing. Well, I want to share what's working for us. Implement it and this will be a shot in the knees for this virus.

1) Disable password reset.
2) On WHM list your accounts sorted by contact email, and try to determine if non-sensical addresses are present. Double check and fix what you consider wrong, as they may be already modified.
3) On Apache Configuration, enable Apache Symlink Protection (beware: you need FollowSymlinks and SymLinksIfOwnerMatch active first).
4) On Apache Configuration > Include Editor > Post VirtualHost Include > All Versions, add the below sequence, which are the iThemes htaccess filters, which will stop the most common forms of virus and backdoors with a shot in their feet.
5) Run Imunify AV, even the free version is enough, in all of your accounts, with RapidScan and Binary (ELF) malware detection both enabled, and delete/clean infected files.

These are the htaccess filters mentioned in step 4:

# BEGIN iThemes Security - No modifiques ni borres esta línea
# iThemes Security Config Details: 2
    # Pasar a través de la cabecera de autorización.
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTP:Authorization} ^(.*)
        RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
    </IfModule>

    # Activar la característica de lista de bloqueo de HackRepair.com - Seguridad > Ajustes > Usuarios prohibidos > Lista de bloqueo por defecto
    # Start HackRepair.com Blacklist
    RewriteEngine on
    # Start Custom Agent Blocking
    RewriteCond %{HTTP_USER_AGENT} "^SemrushBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^AhrefsBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^bingbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^PetalBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^DotBot" [NC,OR]
    # End Custom Agent Blocking
    # Start Abuse Agent Blocking
    RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*Indy" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*NEWT" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Maxthon$" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SeaMonkey$" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Acunetix" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^binlar" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^BlackWidow" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Bolt 0" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^BOT for JCE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Bot mailto\:craftbot@yahoo\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^casper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^checkprivacy" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^ChinaClaw" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^clshttp" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^cmsworldmap" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Custo" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Default Browser 0" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^diavol" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^DIIbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^DISCo" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^dotbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Download Demon" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^eCatch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EirGrabber" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EmailCollector" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EmailSiphon" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EmailWolf" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Express WebPictures" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^extract" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^ExtractorPro" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^EyeNetIE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^feedfinder" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^FHscan" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^FlashGet" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^flicky" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^g00g1e" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^GetRight" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^GetWeb\!" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Go\!Zilla" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Go\-Ahead\-Got\-It" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^grab" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^GrabNet" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Grafula" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^harvest" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^HMView" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Image Stripper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Image Sucker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^InterGET" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Internet Ninja" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^InternetSeer\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^jakarta" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Java" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^JetCar" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^JOC Web Spider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^kanagawa" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^kmccrew" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^larbin" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^LeechFTP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^libwww" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Mass Downloader" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^microsoft\.url" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^MIDown tool" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^miner" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Mister PiX" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^MSFrontPage" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Navroad" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NearSite" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Net Vampire" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NetAnts" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NetSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^NetZIP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^nutch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Octopus" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Offline Explorer" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Offline Navigator" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^PageGrabber" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Papa Foto" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^pavuk" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^pcBrowser" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^PeoplePal" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^planetwork" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^psbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^purebot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^pycurl" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^RealDownload" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^ReGet" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Rippers 0" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^sitecheck\.internetseer\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SiteSnagger" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^skygrid" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SmartDownload" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^sucker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SuperBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^SuperHTTP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Surfbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^tAkeOut" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Teleport Pro" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Toata dragostea mea pentru diavola" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^turnit" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^vikspider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^VoidEYE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Web Image Collector" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebAuto" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebBandit" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebCopier" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebFetch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebGo IS" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebLeacher" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebReaper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebSauger" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Website eXtractor" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Website Quester" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebStripper" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebWhacker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WebZIP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Widow" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WPScan" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WWW\-Mechanize" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^WWWOFFLE" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Xaldon WebSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^Zeus" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "^zmeu" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "360Spider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "CazoodleBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "discobot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "EasouSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ecxi" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "GT\:\:WWW" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "heritrix" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "HTTP\:\:Lite" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "HTTrack" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ia_archiver" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "id\-search" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "IDBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Indy Library" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "IRLbot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ISC Systems iRc Search 2\.1" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "LinksCrawler" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "LinksManager\.com_bot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "linkwalker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "lwp\-trivial" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "MFC_Tear_Sample" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Microsoft URL Control" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Missigua Locator" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "MJ12bot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "panscient\.com" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "PECL\:\:HTTP" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "PHPCrawl" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "PleaseCrawl" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "SBIder" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "SearchmetricsBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Snoopy" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Steeler" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "URI\:\:Fetch" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "urllib" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Web Sucker" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "webalta" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "WebCollage" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "Wells Search II" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "WEP Search" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "XoviBot" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "YisouSpider" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "zermelo" [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} "ZyBorg" [NC,OR]
    # End Abuse Agent Blocking
    # Start Abuse HTTP Referrer Blocking
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?semalt\.com" [NC,OR]
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?kambasoft\.com" [NC,OR]
    RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?savetubevideo\.com" [NC]
    # End Abuse HTTP Referrer Blocking
    RewriteRule ^.* - [F,L]
    # End HackRepair.com Blacklist, http://pastebin.com/u/hackrepair

    # Desactivar XML-RPC - Seguridad > Ajustes > Ajustes WordPress > XML-RPC
    <files xmlrpc.php>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>

    # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema
    <files .htaccess>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>
    <files wp-config.php>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>

    # Desactivar navegación por directorio - Seguridad > Ajustes > Sistema de ajustes > Navegación por directorio
    Options -Indexes

    <IfModule mod_rewrite.c>
        RewriteEngine On

        # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema
        RewriteRule ^wp-admin/install\.php$ - [F]
        RewriteRule ^wp-admin/includes/ - [F]
        RewriteRule !^wp-includes/ - [S=3]
        RewriteRule ^wp-includes/[^/]+\.php$ - [F]
        RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
        RewriteRule ^wp-includes/theme-compat/ - [F]
        RewriteCond %{REQUEST_FILENAME} -f
        RewriteRule (^|.*/)\.(git|svn)/.* - [F]

        # Desactivar PHP en Uploads - Seguridad > Ajustes > Ajustes del sistema > PHP en Uploads
        RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

        # Desactivar PHP en los Plugins - Seguridad > Ajustes > Mejoras del sistema > PHP en Plugins
        RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

        # Desactivar PHP en Temas - Seguridad > Ajustes > Mejoras del sistema > PHP en Temas
        RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

        # Filtrar cadenas de consulta sospechosas en la URL - Seguridad > Ajustes > Ajustes del sistema > Cadenas de consulta sospechosas
        RewriteCond %{QUERY_STRING} \.\.\/ [OR]
        RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
        RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
        RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
        RewriteCond %{QUERY_STRING} ftp: [NC,OR]
        RewriteCond %{QUERY_STRING} https?: [NC,OR]
        RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR]
        RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
        RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR]
        RewriteCond %{QUERY_STRING} %24&x [NC,OR]
        RewriteCond %{QUERY_STRING} 127\.0 [NC,OR]
        RewriteCond %{QUERY_STRING} (^|\W)(globals|encode|localhost|loopback)($|\W) [NC,OR]
        RewriteCond %{QUERY_STRING} (^|\W)(concat|insert|union|declare)($|\W) [NC,OR]
        RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC]
        RewriteCond %{QUERY_STRING} !^loggedout=true
        RewriteCond %{QUERY_STRING} !^action=jetpack-sso
        RewriteCond %{QUERY_STRING} !^action=rp
        RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_
        RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com
        RewriteRule ^.* - [F]

    </IfModule>
# END iThemes Security - No modifiques ni borres esta línea

Sorry, it's in spanish my native locale.
Feel free to use it all or pick segments of interest. The most important parts are: blockage of XMLRPC and remote PHP execution of files within plugins/themes/uploads.

Hope this help others to stop this and other virii.
Fixes and improvements are more than welcomed.

Good luck people.

Hi, Kent, Im William from Perú,

These apache rules are for php7, with the new version of php8 I think it does not work, I have had anonymousfox attacks in the last months, I add some points that helped:

1. Apply Kent Brockman's rules to apache
2. Disable SSH Password Authorization Tweak
3. I changed the ssh port
4. I removed ssh-shell access from all accounts

It was working pretty well for a few months, but hackers again this week.

In my case what they do is:
1. Change the passwords of all email accounts
2. Create accounts like anonymousxxxxx @
3. Change passwords of all wp-admin users in wordpress
4. Change the wp-admin usernames
5. Install wp-file-manager
6. They start to inject malware
7. they also add .htaccess files to all folders, with rules to block access to the wordpress panel

My question is: If I have already disabled SSH with password, what other way can they be using to connect to the server? they must have a way to execute their malicious commands.
Additionally I have added to the apache rules that work in php 1-8

 

[andrew_web]

My question is: If I have already disabled SSH with password, what other way can they be using to connect to the server? they must have a way to execute their malicious commands.
Additionally I have added to the apache rules that work in php 1-8

One way I found that is mentioned at the top of this page is they leave persistent PHP processes running on the server that keep hacking the server from the inside. There may be other methods.

I kept looking through Apache access logs trying to find where someone had uploaded any of the malicious files and at random I moved one of the compromised site folders and saw that it was immediately hacked again. I traced those files to some running PHP processes. After killing those, the hacks didn't get put back in.

On my server, the first point of entry seems to have been getting an account on Wordpress by brute force or some other password compromise. Then installing malicious plugins, I had wp-file-manager installed too.

They inject malware into the Wordpress header and index files. These spawn the malicious and persistent PHP processes when someone visits the site. You have to restore the original Wordpress files to get rid of that part.

I find it baffling that out of the box Linux/Apache server systems are this insecure that they allow such a wide reaching compromise to happen so easily. Especially why symlinks are enabled in public web folders by default that allow a hacker to show every system file and account after compromising a single site, this allowed them to wreck my entire server.

New PHP scripts should also require authorization when doing file writes. When a developer adds a script, the first time they test a new site, they can authorize it. Hacked scripts trying to modify Wordpress sites would then get flagged immediately. Also being able to lock down folders would be helpful. I'd like to lock down every Wordpress plugins folder so if someone tries to add a plugin, they need approval and this can be flagged too.

 

[andrew_web]

Another thing to look out for is phishing emails. One of the clients using my server contacted me this week to say they received a CPanel email about their account storage running low and it had fraudulent links to enter their CPanel login. The hackers are getting email addresses for domains and messaging the site owners. One compromise I had was from a legitimate CPanel login so one of my clients likely clicked on one of those links. I reset the compromised CPanel passwords to a random password and didn't give them to the clients but this is a really easy way to fool people into handing over logins.

Enabling two factor authentication on CPanel logins would probably prevent this attack option. No matter if the passwords are reset, without two-factor enabled, hackers can just email the clients again and get the new login without the server operator knowing.

https://support.cpanel.net/hc/en-us/articles/360053522954-How-to-enable-Two-Factor-Authentication-2FA-for-cPanel-users

That looks like it has to be done for each account separately but it's worth it to close down possible attack options.

 

[Kent Brockman]

Hi, Kent, Im William from Perú,

These apache rules are for php7, with the new version of php8 I think it does not work, I have had anonymousfox attacks in the last months, I add some points that helped:

1. Apply Kent Brockman's rules to apache
2. Disable SSH Password Authorization Tweak
3. I changed the ssh port
4. I removed ssh-shell access from all accounts

It was working pretty well for a few months, but hackers again this week.

In my case what they do is:
1. Change the passwords of all email accounts
2. Create accounts like anonymousxxxxx @
3. Change passwords of all wp-admin users in wordpress
4. Change the wp-admin usernames
5. Install wp-file-manager
6. They start to inject malware
7. they also add .htaccess files to all folders, with rules to block access to the wordpress panel

My question is: If I have already disabled SSH with password, what other way can they be using to connect to the server? they must have a way to execute their malicious commands.
Additionally I have added to the apache rules that work in php 1-8

That is correct. And now in 2023 I found they are uploading other vulnerable plugins, beyond "wp-file-manager", so I configured hourly cronjobs to kill them across the server, in combination with updatedb command, for which you have to install mlocate in the server:

locate plugins/wp-file-manager|xargs rm -drf
locate uploads/wp-file-manager-pro|xargs rm -drf
locate plugins/posts-layouts|xargs rm -drf
locate plugins/wp-console|xargs rm -drf
locate plugins/background-image-cropper|xargs rm -drf
locate plugins/custom-scripts-for-customiser|xargs rm -drf

The virus is uploading php scripts to wp-admin and wp-includes too, so that it can override the php execution limitation on plugins/themes/uploads. It's uploading zip files, so that the uncompressed files keep the original last modified date in the past and can be undetected. Only Imunify is able to detect the contents, but in some cases they are uploading clean code that may not trigger the alerts.

I have noticed a couple cases where the virus was able to write files in /tmp and somehow this allowed them to write backdoor files in other cPanel accounts, and edit data in other cPanel's databases to change WordPress admin passwords by the way. How come is this possible from a single cPanel account?

 

[azednetma]

That is correct. And now in 2023 I found they are uploading other vulnerable plugins, beyond "wp-file-manager", so I configured hourly cronjobs to kill them across the server, in combination with updatedb command, for which you have to install mlocate in the server:

locate plugins/wp-file-manager|xargs rm -drf
locate uploads/wp-file-manager-pro|xargs rm -drf
locate plugins/posts-layouts|xargs rm -drf
locate plugins/wp-console|xargs rm -drf
locate plugins/background-image-cropper|xargs rm -drf
locate plugins/custom-scripts-for-customiser|xargs rm -drf

The virus is uploading php scripts to wp-admin and wp-includes too, so that it can override the php execution limitation on plugins/themes/uploads. It's uploading zip files, so that the uncompressed files keep the original last modified date in the past and can be undetected. Only Imunify is able to detect the contents, but in some cases they are uploading clean code that may not trigger the alerts.

I have noticed a couple cases where the virus was able to write files in /tmp and somehow this allowed them to write backdoor files in other cPanel accounts, and edit data in other cPanel's databases to change WordPress admin passwords by the way. How come is this possible from a single cPanel account?

Hello,
This command is not working
locate plugins/wp-file-manager|xargs rm -drf
locate: can not stat () `/var/lib/mlocate/mlocate.db': No such file or directory

 

[quietFinn]

1st run
updatedb
and then locate should work

 

[Kent Brockman]

Hello,
This command is not working
locate plugins/wp-file-manager|xargs rm -drf
locate: can not stat () `/var/lib/mlocate/mlocate.db': No such file or directory

Hi there. You need to install mlocate first. Then do a full disk scan in order for this to work. I prefer locate over find, it's a personal choice.

To install and index files, simply run this:

yum install mlocate -y && updatedb;

Then, you will be able to run the abovementioned locate commands.
Regards