SOLVED I can't stop anonymousfox attack

[rafael.martinez]

I have been battling an attack on my server for anonymousfox for about 4 days, only yesterday I had the following changes:

1. Removed ConfigServer Security & Firewall and disabled cPHulk Brute Force Protection.
2. They changed the hosting package assigned to the users for the default one.
3. They changed all the cpanel and email passwords of my user.
4. User configuration file permissions changed.
5. All wordpress users changed the administrator user to anonymousfox.

This day apparently they carried out some other attack that does not let me activate ConfigServer Security & Firewall and cPHulk Brute Force Protection, when I activate it automatically it deactivates.
ImunifyAV has also stopped working.

I have taken some measures but it is not possible to stop the attack, some measures I have taken are:
1- Update all WordPress, plugin and templates of all users to the latest version.
2- Removed versions of PHP that no longer receive security updates.
3- WHM enable two factor authentication login.
4- Deactivate cpanel/webmail password recovery by email.
5- Change the root password.
6- Scan user files with ImunifyAV and clean files marked as malware.

I am very worried and I am waiting for the help of all of you.

Greetings.

 

[andrew.n]

Have you turned off the "Reset password for cPanel accounts" option in Tweak Settings?

What is the anonymousfox address on my system?

Question What is the anonymousfox address on my system? Answer Anonymousfox is a Wordpress vulnerability where users are able to exploit vulnerable Wordpress plugins to get access to the account'...

support.cpanel.net

 

[rafael.martinez]

Hello andrew.n

Yes, I have already disabled "Reset password for cPanel accounts", But still the attack continues.

 

[andrew.n]

Rafael reached out to me and I have had a chance to have a look at the server. Sadly it is root compromised and I could also discover the traces of a symlink attack sadly. I recommended the best course of action here i.e clean up the infection and migrate the accounts over to a brand new server.

 

[cPanelAnthony]

Thank you for the update, Andrew! It sounds like you got Rafael pointed in the right direction.

 

[Rodrig]

Hi,
I have the same issue, Anonymousfox hacked my website. I continuously reedit the database's admin users it adds and change all passwords but it keeps coming back.

I have some difficulty applying the suggestions found in several forums. I am new to all this and I'm not even sure if I have such Cpanel acces being a site owner on a shared server. I don't find how to disable the "reset password for Cpanel accounts". I have almost no response from the hosting support team to this issue.

Can you advise me on what's in my power to do and if I have a chance to solve this?

 

[cPRex]

Without root access your options are going to be more limited. The best thing you can do is to ensure all the plugins on the account are up-to-date as the issue usually happens with vulnerable scripts.

 

[rafael.martinez]

The server system is probably infected, I solved it by moving all my users to a new server.

 

[Rodrig]

Without root access your options are going to be more limited. The best thing you can do is to ensure all the plugins on the account are up-to-date as the issue usually happens with vulnerable scripts.

Thanks cPRex. I guess I don't have the power needed to solve it.

The server system is probably infected, I solved it by moving all my users to a new server.

You mean, considering I have my website on a shared server, that I would need to change my website to a different host? I don't understand why the hosting service doesn't reply to my questions; I thought it is in their interest that we all collaborate in order to have their server clean.

 

[cPRex]

It's really impossible to say. Since your hosting provider doesn't seem to be interested in helping with the issue, it might be best to move to another provider anyway where you can experience better support.

 

[Rodrig]

Not easy to decide when I lack so much information. I realized that I can block, in Wordfence, the IP used by the user Anonymousfox_xxx that does all the login attempts in my website. I am guessing it can't be that easy, or is it?

Isn't there any app to add a double authentication factor to Cpanel login? Maybe through the WHMCS app? Again, could it be that simple?

 

[rafael.martinez]

It is very likely that your provider has the entire server infected, I recommend that you move to another server.

 

[cPRex]

@Rodrig - yes, you can find more details on this here: Two-Factor Authentication for cPanel | cPanel & WHM Documentation

 

[Rodrig]

Thank you so much for your support. It feels so lost when we're new to all this and a hacked site oblige us to learn it all as fast as possible.

I was searching for a way to send a PM @rafael. If possible, please let me know.

 

[cPRex]

@Rodrig - your account is still restricted since it's only your 4th post, so you aren't able to send a PM just yet.

 

[Rodrig]

That makes sense. Thanks cPRex.

 

[rafael.martinez]

Hello Rodrig I leave you my profile on linkedin:

https://www.linkedin.com/in/rafaelmartinezme/

 

[Ed_alex]

Some very important things to know about AnonymousFox hacks. They create a system process that typically creates and recreates a malicious cron job until you kill all system processes. The simplest way to kill all system processes is to switch your PHP server version and then delete the malicious cron job. After these critical first steps are done then check these 2 files: /home/user/.cpanel/contactinfo and /home/user/.contactemail for any email addresses that are not yours and delete them. You can now start the fun processes of deleting the numerous files created by AnonymousFox hacks. Note: Every single AnonymousFox hack that I have come across includes at least 1 hidden hacker plugin and sometimes 3 of them. Delete those hidden hacker plugins.

 

[Ed_alex]

Recommendation: Turn Off/Disable Anonymous FTP in cPanel.

 

[Rodrig]

Some very important things to know about AnonymousFox hacks. They create a system process that typically creates and recreates a malicious cron job until you kill all system processes. The simplest way to kill all system processes is to switch your PHP server version and then delete the malicious cron job. After these critical first steps are done then check these 2 files: /home/user/.cpanel/contactinfo and /home/user/.contactemail for any email addresses that are not yours and delete them. You can now start the fun processes of deleting the numerous files created by AnonymousFox hacks. Note: Every single AnonymousFox hack that I have come across includes at least 1 hidden hacker plugin and sometimes 3 of them. Delete those hidden hacker plugins.

Hi Alex, thanks for sharing.
I'm a bit new to all this but I don't think I have that much power being my website on a shared server beyond my control. I checked for Cronjobs and there is only one, which seems is a regular backup:

/usr/local/cpanel/3rdparty/bin/php -d disable_functions="" "/usr/local/cpanel/whostmgr/docroot/cgi/softaculous"/cli.php --backup --auto=1 --insid=26_52324

There is quite a while that no new email accounts are created in my CPanel dashboard nor plugins installed in the Wordpress dashboard either.
I do see in Wordfence some blocked attempts, usually from Netherlands and Germany, like: http://delasciencealassiette.fr/ubpxwlwy.php?Fox=d3wL7

The last one was two days ago. I don't see any such type of files in my Public_html folder.
and the last failed login attempts with Anonymousfox... as user was 16 days ago.

I don't get any replies from the website hosting company to my support tickets since quite a while now. I wonder if those failed attempts in Wordfence could mean that they are being able to clean the server or that it just means that Anonymousfox is not being able to enter specifically through my dashboard?