Question and Tips about "anonymousfox"

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Don't get me wrong either, I get it. I get your frustration as well as the user's. Password Reset capability being disabled may help for this specific issue but there are other issues it won't help with, it definitely won't keep the account secure from being attacked if it still has vulnerabilities.

One suggestion might be to ensure you're scanning regularly for known malware signatures
 

terwilliger

Registered
Oct 5, 2020
2
0
1
California
cPanel Access Level
Website Owner
Hi - I'm dealing with "anonymousfox" and trying to figure out how to clean up the cpanel account. So far I have:
* renamed the site folder so it's not publicly accessible right now
* contacted my host who ran a malware scan, cleaned up some stuff (not sure exactly what), and reset my cpanel password
* gone through all the files in publichtml, compared them with an earlier backup, and replaced or deleted files where there were differences
* deleted any email accounts + accounts in the "user manager" section that are no longer in use
* reset all user passwords

Poking through the home directory now, I see a suspicious file in the "etc" folder called "shadow" with 2 lines. The first line starts with "anonymousfox" and the second line starts with "smtpfox." So, that seems bad...

When I search for info on what to do with this "shadow" file though, I get the impression that it shouldn't be removed or messed with. But just leaving it also seems bad, so I'm not sure what to do.

Any advice would be appreciated.
 

pinchies

Member
Sep 3, 2020
5
2
3
Australia
cPanel Access Level
Website Owner
Also,
  • check for unexpected subdomains (including wildcard subdomains) or any other user/remote access accounts
  • check the currently listed cpanel and wordpress recovery email addresses
The shadow file is to do with passwords. I recommend to remove any lines related to accounts that are not your own.
 
  • Like
Reactions: terwilliger

terwilliger

Registered
Oct 5, 2020
2
0
1
California
cPanel Access Level
Website Owner
Thank you.

If I remove lines from the shadow file related to accounts that aren't my own, the file will be completely empty - not sure if that's okay (or if I should just delete the file completely)?
 

CaptObvious

Registered
Oct 28, 2020
3
1
3
uk
cPanel Access Level
Reseller Owner
I just got hit with my cpanel account being compromised by someone editing the .contactemail and .contactinfo files and resetting my password
Not sure if it is related to the wp file manager plugin, while it was installed, it was up to date and disabled.

This has however made me realise how easy it is to gain access to someone's cpanel account in general, this issue is not specific to this plugin or vulnerability.

Anyone who has FTP access to use this hack
Anyone who has admin access to any website and the ability to install plugins can use this hack

I regularly work on WordPress sites for clients.
So all I would need to do is install any plugin that allows me to edit files, and I can then change their cpanel email address and reset the password.

These files need to have their permissions set so that only cpanel itself can edit them or they need to be encrypted so they cannot be edited.
 
  • Like
Reactions: pinchies

ihab.mardoud

Registered
Nov 1, 2020
1
0
1
Istanbul, Turkey
cPanel Access Level
Root Administrator
It happened with me also even there is no WordPress in the account...
I figured that it happened through the eval-stdin vulnerability in PHPUnit in the vendor folder!
so I added .htacess with
Apache config:
Require all denied
and I figured that email is not appeared changed in WHM or cPanel but it had been changed in the .contactemail file
I just resaved my contact information in cPanel and .contactemail has updated
and then clean the content of shadow file in etc folder, reset all the passwords, remove the two email accounts that malware created, and make a scan with imunify360 (found 7 uploaded malware files to PHPUnit folder)

hope this will help anyone searching for anonymousfox because this is the first result I had got on Google
 

Ucyirmiiki

Registered
Apr 19, 2021
2
0
1
Turkey
cPanel Access Level
Root Administrator
after a year later, I have same problem... And my "Reset Password" option was also disabled before i got this problem.
I have many accounts in my server and everyday another one creates 4 different emails and send spams... all same 4 emails which begings with ''[email protected]'' (see the attchements)
I am tired of deleting these email accounts.

PS: I noticed that these accounts which have this problem are generally wordpress websites

And i am really shocked there is no certain way to solve this problem. Cpanel says take a paid system administrator, some says disable reset password... but there is not a certain way to prevent this problem.
 

Attachments

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,896
910
313
cPanel Access Level
Root Administrator
For that you would need to check the server access log at /usr/local/cpanel/logs/access_log. I would recommend doing the following to make that search easier:

-run "tail -f /usr/local/cpanel/logs/access_log" to watch the log in real-time
-log in to cPanel and create an email account

This will allow you to see what that email creation process looks like on your server, so you'll know exactly what to search for in the log.