AnonymousFox Repeatedly Attacking & Even Removed Wordfence

  • Resolved evilsaigon

    (@evilsaigon)


    2 years, 3 months ago

    Hi there, our wordpress websites have been hacked by “AnonymousFox”. I’ve researched and did all the clean ups and taken preventive measures. But the hacking just keeps recurring every few days.

    The hack’s symptoms:
    – Malicious files (xxxxxx.php, fake .htaccess, infected or fake index.php). Some of the malicious files appear as “Protect Uploads”. They always reappear despite deleting.
    – Fake wordpress users and email accounts get created
    – Admin user login details get hacked at times

    What I’ve already tried:
    – Have gotten the webhost to enable symlink protection in their WHM
    – Deleted the entire public_html & sql database. Reinstalled the entire website from scratch. For most websites, I reinstalled the WordPress files
    – Deleted the fake users in phpmyadmin
    – Deleted fake email accounts
    – Deleted all the malicious files (xxxxxx.php, fake .htaccess, infected or fake index.php). Some of the malicious files appear as “Protect Uploads”. They always reappear despite deleting.
    – Installed Wordfence & did a full scan which always shows no issues after my clean up. But the hacker can remove the Wordfence plugin entirely.
    – Keep all plugins updated, enabled auto-update while using the most updated WordPress version 6.0.1

    But all have been ineffective, and I’d need perspective on how to stop this hack properly. Thank you.

Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @evilsaigon, I’m sorry to see you were affected by something like this.

    I can’t comment or perform a step-by-step walkthrough of what you’ve attempted so far to clean your site, but can certainly provide the instructions that we recommend for customers affected by this in case there are any steps that have not already been taken.

    Follow the checklist here:
    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
    Make sure and get all your plugins and themes updated and update WordPress core too. If you are on an older branch (WordPress 4.x etc) because you wanted to wait before installing the latest version because of Gutenberg or a custom theme compatibility you still need the latest update in that version. Those can be found here:
    https://www.ads-software.com/download/releases/
    WordPress sometimes patches their older releases if they find a vulnerability so make sure to update your version if needed. We, of course, recommend that you update to the latest version.

    As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure to do this.

    Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.

    If you are unable to clean this on your own there are paid services that will do it for you. Wordfence offers one and there are others. Regardless if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.

    Thanks,

    Peter.

Viewing 1 replies (of 1 total)
  • The topic ‘AnonymousFox Repeatedly Attacking & Even Removed Wordfence’ is closed to new replies.