Question and Tips about "anonymousfox"

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
13,237
1,232
313
Houston
Don't get me wrong either, I get it. I get your frustration as well as the user's. Password Reset capability being disabled may help for this specific issue but there are other issues it won't help with, it definitely won't keep the account secure from being attacked if it still has vulnerabilities.

One suggestion might be to ensure you're scanning regularly for known malware signatures
 

terwilliger

Registered
Oct 5, 2020
2
0
1
California
cPanel Access Level
Website Owner
Hi - I'm dealing with "anonymousfox" and trying to figure out how to clean up the cpanel account. So far I have:
* renamed the site folder so it's not publicly accessible right now
* contacted my host who ran a malware scan, cleaned up some stuff (not sure exactly what), and reset my cpanel password
* gone through all the files in publichtml, compared them with an earlier backup, and replaced or deleted files where there were differences
* deleted any email accounts + accounts in the "user manager" section that are no longer in use
* reset all user passwords

Poking through the home directory now, I see a suspicious file in the "etc" folder called "shadow" with 2 lines. The first line starts with "anonymousfox" and the second line starts with "smtpfox." So, that seems bad...

When I search for info on what to do with this "shadow" file though, I get the impression that it shouldn't be removed or messed with. But just leaving it also seems bad, so I'm not sure what to do.

Any advice would be appreciated.
 

pinchies

Member
Sep 3, 2020
5
2
3
Australia
cPanel Access Level
Website Owner
Also,
  • check for unexpected subdomains (including wildcard subdomains) or any other user/remote access accounts
  • check the currently listed cpanel and wordpress recovery email addresses
The shadow file is to do with passwords. I recommend to remove any lines related to accounts that are not your own.
 
  • Like
Reactions: terwilliger

terwilliger

Registered
Oct 5, 2020
2
0
1
California
cPanel Access Level
Website Owner
Thank you.

If I remove lines from the shadow file related to accounts that aren't my own, the file will be completely empty - not sure if that's okay (or if I should just delete the file completely)?