Three column screen layout virus

Hi @nomadarod,

Bummer! Looks like your website has been hacked.

Perhaps this topic can help solve your issue.

Otherwise, refer to these Wordfence instructions to clean your website.

Best wishes.

Anonymousfox is a team of hackers and a collection of webshells which scan webspaces for credential files and try bruteforce attacks against cpanel and other solutions. So it’s best to check your complete setup, running processes with “top”, auth.log for any hints and change passwords and cleanup the website behind a .htpasswd protection.

Important is to check that they did not setup any other software running on the server in the background and have not deployed any backdoors (which their solutions often do).

The mentioned plugin is just a decoy / abused plugin to make it less obvious.

Hi!
I thought all was good after a few days of calm since I changed all passwords, installed Wordfence, double AF, etc and just now I see that my admin login doesn’t work and that the database has Anonymousfox as admin again.

I edited the database to change it back to my username and password and came back to login but it didn’t work. I have a “Vous avez été bloqué” (you’re blocked) screen.
This is the worst I can imagine, still having the site hacked but being blocked by my own security plugin.

Any advises?

I actually got blocked by another security plugin. The blockage is clear, but the password I edited the database with doesn’t work (I notice the password is not encripted in the database, so the hacker already has it, no?). What could I do? Reset password?

Ok. Managed to go in again.

@danielrufde Can you help me understand “running processes with “top”” “auth.log for any hints” and “behind a .htpasswd protection”?

“top” is a command that you can use via SSH to see running commands / programs. Also there is “crontab” to see planned system cronjobs. If they got access to your cpanel then they can do much more on the system. I had once a case on a server where attackers started a crypto miner.

Best in your case: check the complete server and do a full analysis since SSH and cpanel could allow a full takeover.

Depending on your hosting setup there are logfiles at /var/log which often contain important proof and clues how and what happened.

On Apache based hosting you can temporarily protect the webspace with a .htpasswd file and a few lines in your .htaccess file. But when the threat actor still has full access of the server you will have to ensure that they won’t work around this.

Hi @danielrufde
I found a “Raw Access” section in Cpanel with logs. What should I look for that could imply suspicious activity?

here is an example of what I find in it that seems suspicious:
“`101.32.62.196 – – [20/Apr/2022:19:12:22 +0200] “GET /wp-login.php HTTP/1.1” 403 6634 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
194.38.20.161 – – [20/Apr/2022:19:29:27 +0200] “GET /plugins/elfinder/connectors/php/connector.php HTTP/1.1” 403 17008 “-” “ALittle Client”
38.242.211.102 – – [20/Apr/2022:20:14:49 +0200] “POST /wp-cron.php?doing_wp_cron=1650478489.4787979125976562500000 HTTP/1.1” 200 20 “https://delasciencealassiette.fr/wp-cron.php?doing_wp_cron=1650478489.4787979125976562500000” “WordPress/5.9.3; https://delasciencealassiette.fr”`”

It seems like a login attempt and a plugin install. There are a bunch of cron jobs happening too. What could I do with all this info?

• This reply was modified 2 years, 6 months ago by rod.

@rod this is just harmless – no login happened in these lines and no plugin install. This was a probe for a known vulnerability and your server returned statuscode 403 (“access denied”), not statuscode 200 (“ok”). A pretty normal GET request. A plugin install would start with a POST request.

Hi @danielrufde
Thanks. I guess I have a bit to learn about log files, but they don’t seem so scary anymore. Is there a tool that can identify threats/suspicious behaviour in it (free tool?). You said something about “running processes with “top”, auth.log for any hints”. What is this. I couldn’t understand the results in Google. How do I use these command lines to check my website? Is there a command line in Cpanel? It is a shared server; I don’t know how much I can do/access.

I found that the Anonymousfox user login attempts were coming all from the same IP address, as displayed in Wordfence “live traffic” tool, and I added that IP to the list of IPs to be blocked permanently. Could it be that simple? Is there other things I can do to assure it wont come back in?

I see also that the email report from Wordfence indicates the htaccess and config.php files were edited today. Is it normal that these files are edited?

The only way I am aware that I can routinely check if Anonymousfox was back doing its tricks is by checking if it changed the admin username and Cpanel emails. I wonder if there are other ways I can verify if there are other processes going on?