SOLVED I can't stop anonymousfox attack

rafael.martinez

Active Member
Jan 15, 2021
25
7
3
El Salvador
cPanel Access Level
Root Administrator
I have been battling an attack on my server for anonymousfox for about 4 days, only yesterday I had the following changes:

1. Removed ConfigServer Security & Firewall and disabled cPHulk Brute Force Protection.
2. They changed the hosting package assigned to the users for the default one.
3. They changed all the cpanel and email passwords of my user.
4. User configuration file permissions changed.
5. All wordpress users changed the administrator user to anonymousfox.

This day apparently they carried out some other attack that does not let me activate ConfigServer Security & Firewall and cPHulk Brute Force Protection, when I activate it automatically it deactivates.
ImunifyAV has also stopped working.

I have taken some measures but it is not possible to stop the attack, some measures I have taken are:
1- Update all WordPress, plugin and templates of all users to the latest version.
2- Removed versions of PHP that no longer receive security updates.
3- WHM enable two factor authentication login.
4- Deactivate cpanel/webmail password recovery by email.
5- Change the root password.
6- Scan user files with ImunifyAV and clean files marked as malware.

I am very worried and I am waiting for the help of all of you.

Greetings.
 

andrew.n

Well-Known Member
Jun 9, 2020
876
325
63
EU
cPanel Access Level
Root Administrator
Have you turned off the "Reset password for cPanel accounts" option in Tweak Settings?

 

andrew.n

Well-Known Member
Jun 9, 2020
876
325
63
EU
cPanel Access Level
Root Administrator
Rafael reached out to me and I have had a chance to have a look at the server. Sadly it is root compromised and I could also discover the traces of a symlink attack sadly. I recommended the best course of action here i.e clean up the infection and migrate the accounts over to a brand new server.
 
  • Like
Reactions: cPanelAnthony

Rodrig

Member
Apr 22, 2022
7
1
3
France
cPanel Access Level
Website Owner
Hi,
I have the same issue, Anonymousfox hacked my website. I continuously reedit the database's admin users it adds and change all passwords but it keeps coming back.

I have some difficulty applying the suggestions found in several forums. I am new to all this and I'm not even sure if I have such Cpanel acces being a site owner on a shared server. I don't find how to disable the "reset password for Cpanel accounts". I have almost no response from the hosting support team to this issue.

Can you advise me on what's in my power to do and if I have a chance to solve this?
 

Rodrig

Member
Apr 22, 2022
7
1
3
France
cPanel Access Level
Website Owner
Without root access your options are going to be more limited. The best thing you can do is to ensure all the plugins on the account are up-to-date as the issue usually happens with vulnerable scripts.
Thanks cPRex. I guess I don't have the power needed to solve it.

The server system is probably infected, I solved it by moving all my users to a new server.
You mean, considering I have my website on a shared server, that I would need to change my website to a different host? I don't understand why the hosting service doesn't reply to my questions; I thought it is in their interest that we all collaborate in order to have their server clean.
 

Rodrig

Member
Apr 22, 2022
7
1
3
France
cPanel Access Level
Website Owner
Not easy to decide when I lack so much information. I realized that I can block, in Wordfence, the IP used by the user Anonymousfox_xxx that does all the login attempts in my website. I am guessing it can't be that easy, or is it?

Isn't there any app to add a double authentication factor to Cpanel login? Maybe through the WHMCS app? Again, could it be that simple?
 

Rodrig

Member
Apr 22, 2022
7
1
3
France
cPanel Access Level
Website Owner
Thank you so much for your support. It feels so lost when we're new to all this and a hacked site oblige us to learn it all as fast as possible.

I was searching for a way to send a PM @rafael. If possible, please let me know.
 

Ed_alex

Registered
Oct 23, 2012
3
2
51
cPanel Access Level
Website Owner
Some very important things to know about AnonymousFox hacks. They create a system process that typically creates and recreates a malicious cron job until you kill all system processes. The simplest way to kill all system processes is to switch your PHP server version and then delete the malicious cron job. After these critical first steps are done then check these 2 files: /home/user/.cpanel/contactinfo and /home/user/.contactemail for any email addresses that are not yours and delete them. You can now start the fun processes of deleting the numerous files created by AnonymousFox hacks. Note: Every single AnonymousFox hack that I have come across includes at least 1 hidden hacker plugin and sometimes 3 of them. Delete those hidden hacker plugins.
 
  • Like
Reactions: Rodrig

Rodrig

Member
Apr 22, 2022
7
1
3
France
cPanel Access Level
Website Owner
Some very important things to know about AnonymousFox hacks. They create a system process that typically creates and recreates a malicious cron job until you kill all system processes. The simplest way to kill all system processes is to switch your PHP server version and then delete the malicious cron job. After these critical first steps are done then check these 2 files: /home/user/.cpanel/contactinfo and /home/user/.contactemail for any email addresses that are not yours and delete them. You can now start the fun processes of deleting the numerous files created by AnonymousFox hacks. Note: Every single AnonymousFox hack that I have come across includes at least 1 hidden hacker plugin and sometimes 3 of them. Delete those hidden hacker plugins.
Hi Alex, thanks for sharing.
I'm a bit new to all this but I don't think I have that much power being my website on a shared server beyond my control. I checked for Cronjobs and there is only one, which seems is a regular backup:

/usr/local/cpanel/3rdparty/bin/php -d disable_functions="" "/usr/local/cpanel/whostmgr/docroot/cgi/softaculous"/cli.php --backup --auto=1 --insid=26_52324

There is quite a while that no new email accounts are created in my CPanel dashboard nor plugins installed in the Wordpress dashboard either.
I do see in Wordfence some blocked attempts, usually from Netherlands and Germany, like: http://delasciencealassiette.fr/ubpxwlwy.php?Fox=d3wL7

The last one was two days ago. I don't see any such type of files in my Public_html folder.
and the last failed login attempts with Anonymousfox... as user was 16 days ago.

I don't get any replies from the website hosting company to my support tickets since quite a while now. I wonder if those failed attempts in Wordfence could mean that they are being able to clean the server or that it just means that Anonymousfox is not being able to enter specifically through my dashboard?