How to Fix the AnonymousFox Hack

If you have suffered a website compromise in recent years, then there is a decent chance that you saw the markings of AnonymousFox. It is one of the most prevalent types of malware infections on the web today.

AnonymousFox is both the name of the group that shares/sells website exploitation and hacking tools, as well as the name used in the malware in compromised website environments. In this post, we will review how this infection works, why it is so common, and how to remove the malware from your compromised environment.

Throughout this guide actionable points will be listed next to a ★ character for each section. If you are currently experiencing this type of compromise and want a quick TL;DR, go ahead and scroll down to the bottom of this article!

What is AnonymousFox?

Before we get started, it’s worth exploring what this hack is. As the name implies, we don’t know exactly who is behind the malware. It can best be described as a suite of automated hacking tools that are available to obtain from the web and use at your own disposal, all gathered under the name Anonymousfox.

Their website (which we recommend against visiting as it is closely associated with malware) lists a number of different features available in their hacking suites:
FoxAuto V6
[01] Mass Reset Password cPanel
[02] Mass Finder SMTP + Create SMTP
[03] Mass Finder Linux/Windows, cPanel/vHosts/Root [PWD|UNAME]
[04] Mass Finder Accesshash [Reseller] + .my.cnf [cPanel]
[05] Mass Get Config (cPanel/vHosts) server+Config404+ConfigCFS
[06] Mass Get Config + Crack cPanel/WHM
[07] Mass Get Config+Upload Shell on WordPress/Joomla/Opencart
[08] Mass Get Root by ./dirty [PHP/BASH]
[09] Mass Get RDP from Windows server
[10] Mass Get Domains-List
[11] Mass Get Emails-List
[12] Mass Get Config + Emails-List
[13] Mass Upload Mailer [Random]
[14] Mass Upload File [Random]
[15] Mass Upload Index + Post in Zone-h
[16] Mass Upload Scam-Page/Zip-file + UNZip
[17] Mass Check if Sending mail is Working or not! [Results delivery]
[18] Mass Reports replacement Olux/xLeet/Other
[19] From any Shell/UPloader, MASS Upload File Shell/Mailer
[20] Reset Password cPanel + Finder/Create SMTP [together]
[21] 01 + 02 + 04 + 06 + 08 [All of them together]
[22] Mass Finder SMTP + Create SMTP from cPanel
[23] MASS Upload File Olux/xLeet/Other Shell/Mailer from cPanel
[24] Mass Upload Scam-Page/Zip-file + UNZip from cPanel
[25] Mass Check if Sending mail is Working or not! [Results delivery]
[26] Mass Reports replacement Olux/xLeet/Other from cPanel
[27] Mass login WordPress/Joomla/Opencart/Drupal + UPload Shell

This is the feature set of one of multiple different tools provided by the group. The website states the following disclaimer and pledge request:

“All our tools here are free, we are not responsible for any acts of vandalism that may occur due to misuse. As a user, I pledge to use this site for the benefit and benefit of the community, without causing any harm, I take full responsibility for the use of this site and its tools.”

It’s abundantly clear that these tools are overwhelmingly not used for educational purposes, but to compromise victim websites, spread malware, phishing and spam.

As you can see, the malware kits leverage quite a few different tools to identify vulnerable websites, exploit vulnerable access points, and spread across environments.

Point of Infection

There isn’t one single entry point that the attackers use when using the AnonymousFox hacking tools suite. The reason why the malware is so prevalent, is because it attempts to take advantage of as many different vulnerabilities as possible. It exploits whatever low-hanging fruit it may come across.

There are many vulnerable plugins and extensions in use on many different CMS platforms. This tool suite tries to find and exploit as many of them as possible, regardless if the website is running WordPress, Joomla, OpenCart or other platforms.

From wp-admin to cPanel compromise

Naturally, with WordPress being the most commonly used CMS platform, it is the most frequently infected.

If the server is configured in the right way (that is, the default configuration), then a single compromised wp-admin account can lead to every single website in the environment being compromised. How do they do this?

As we have discussed on our blog before, securing your wp-admin panel is of paramount importance. It’s not uncommon for the default admin user name “admin” to be used on older WordPress websites (thankfully, WordPress no longer assigns this as default for security reasons). This renders the websites particularly vulnerable to brute force attacks.

However, with the use of certain tools like WPScan, user names on the website can be enumerated and made viewable. This means that even if you have a super secure username, if your website is not protected by any security plugins or a firewall, the admin name can be viewed externally and used in a brute force attack.

Once they have established a foothold into the admin panel, typically a file manager plugin is installed:

file-manager-plugin

While these are undoubtedly useful plugins available from the WordPress repository, they are also frequently misused by attackers to spread malware since they provide direct access to the website file structure. Once attackers have this, they can also upload a malicious web shell to a directory of their choosing.

Resetting the cPanel Password

After the attackers have access to the file system, all they need to do to take over the cPanel is to edit the following files:
/home/user/.cpanel/contactinfo
/home/user/.contactemail

They replace the victim’s email with their own. Following this, all they need to do is send a password reset email via the cPanel login page and change the password to one of their choosing. After that, they have established full administrative control of the cPanel.

reset-contact-email

★RESET THE CONTACT EMAIL VIA WHM!

If you are experiencing an anonymousfox hack on your website you can quickly identify how many infected cPanels are present, as well as the specific affected cPanel accounts, by running the following commands via SSH:
# grep anonymousfox /home/*/.contactemail|wc -l
# grep anonymousfox /home/*/.contactemail

reset-contact-email

The attackers are also known to use their own email addresses or temporary “burner” emails, so you may also want to manually check those two files on any websites that you suspect are compromised.

The email can be reset back to what it is supposed to be by using the “Change” button within the WHM drop down for the affected accounts:

reset-contact-email

Please note that your legitimate contact email may be listed in WHM even if the files themselves have the attacker’s email. You’ll also want to change the cPanel password when you do this, as it has undoubtedly been compromised.

DISABLE EMAIL PASSWORD RESET ENTIRELY!

Malicious Plugins

Another characteristic of this attack is the existence of malicious plugins installed by the compromised admin accounts, for instance:

reset-contact-email

./wp-content/plugins/bjpabcupmj
./wp-content/plugins/eacbjiwfsd
./wp-content/plugins/gghdsuyyng
./wp-content/plugins/lhtsmftqnz

They all have randomised, 10-character long names and contain a number of malicious scripts including backdoor uploads, filesman web shells, and automated attack scripts to automatically propagate malware throughout the rest of the system.

They each contain an innocuous file titled:

three-column-screen-layout.php

With some benign code to trick the victim into thinking the plugin is legitimate:

reset-contact-email

But this code doesn’t actually do anything. Adjacent to this file are a number of backdoors and webshells:

auto_seo.php

reset-contact-email
php.hacktool.configuration_stealer.027

ynirzsxjog.php

reset-contact-email
php.backdoor.uploader.520

mjybyllfrw.php

reset-contact-email
php.backdoor.filesman.121

jdzjqygcgv.php

reset-contact-email
php.backdoor.foxauto.001

The attackers will often add a file manager plugin to the wp-admin dashboard. This plugin should be removed as well if you do not need it on your website!

Symlink Protection & Symlink Bombs

But the fun doesn’t stop there! Once they’ve established cPanel access, they are able to move laterally through the server environment by the use of symlinks (if the server is using the default configuration).

By default, WHM environments have the “symlink protection” feature disabled:

reset-contact-email

To quote the official cPanel knowledge base:

The FollowSymlinks option exposes Apache to a symlink security vulnerability. This symlink vulnerability allows a malicious user to serve files from anywhere on a server that strict operating system-level permissions do not protect.

It’s anybody’s guess as to why this glaring security flaw is part of the default configuration. If I had to guess, it would be because enabling it causes a modest decrease in performance across the server. Website designers want their websites to perform quickly and would prefer not to go to the trouble of optimizing their websites if they don’t have to.

reset-contact-email

Using these, they move laterally through the websites and infect as many other sites as they can get their hands on.

Symlinks can be a bit tricky to remove because depending on the method used, the system may try to follow the symlink and delete the destination file. This can cause a major headache. Most often the symlink bomb directories can be safely sent to the trash using the cPanel file manager.

Another safe method of removal is to connect to the server via FTP (using a program like FileZilla), navigate to the symlink bomb directory, select them all, right click and delete. When it asks if you want to remove just the symlink or the target file as well select just “Delete symlink”. This can take some time, depending on how many are present in the directory.

★ ENABLE SYMLINK PROTECTION
★ SAFELY REMOVE SYMLINK BOMBS

Stored wp-admin credentials and admin name change

Another hallmark of this attack is that the attackers will rename the primary wp-admin administrator account name to something like:
anonymousfox-xxxx

With a random string of characters at the end. They will then change the administrator passwords of all affected websites in the environment and store them in a publicly accessible Panels.txt file in one of the websites:

wp-admin-panel
Compromised logins stored in .txt file

It is also fairly common for the attackers to add in additional wp-admin users. Most recently we’ve seen them using bogus fbi.gov email addresses. If you see one, consider it a red flag. Make sure to get all unfamiliar admin users removed!

★CHANGE YOUR ADMIN USER NAME IN THE DATABASE, CHANGE THE PASSWORD AND REMOVE ANY SUSPICIOUS ADMINISTRATOR ACCOUNTS

Malicious Email Addresses

“anonymousfox” and/or “smtpfox” as the account name:

cPanel-bogus-email

These email accounts serve two purposes:
1) They use these accounts to replace the contactemail and .contactinfo information in order to re-infect the cPanels once the passwords are reset (so they don’t have to use one single email address to manage all websites)
2) They can be sold on the black market to spammers who send out bogus emails (like phishing) using compromised email lists

★REMOVE THE BOGUS EMAIL ACCOUNTS

.htaccess nuisance malware

Another common symptom of this infection is that the attackers will litter the environment with hundreds or thousands of .htaccess files with content similar to the following:

.htaccess-file-litter

These .htaccess rules serve only to disrupt the normal functionality of the website by denying any php execution. When placed within the wp-admin panel, it prevents the website administrator from the ability to perform basic maintenance tasks, update plugins, or edit posts/pages.

Removing these files one by one would take a small eternity, so you would want to run an SSH command to remove them all in bulk. An example command to find all .htaccess files (both benign and malicious) would be:
find . -name .htaccess

Following this, you could use a simple rm command across all matched files. Make sure not to remove the primary .htaccess file in the website root, otherwise all the links on your website may return 404 Not Found responses!

You could also potentially write a sed command to remove the content, but this is more advanced and riskier.

★REMOVE THE BOGUS .HTACCESS FILES

Unsafe php.ini ruleset

The attackers will also place a php.ini file within the website root directory:

php.ini-file-in-root-directory

The file attempts to override some security rules in place within the hosting environment and ease restrictions to make it easier for their malware to execute and propagate throughout the websites.

Remediation of Malware

This is where things get tricky. There is no single variety of malware which is associated with this infection. The attackers are able to choose which type of malware is uploaded into the environment, so this can vary between websites.

We have a handy guide on how to fix a hacked WordPress website.

The most common variety of malware that we’ve found in these infected environments is plain old phishing:

phishing- malware

This is likely because it’s one of the easier ways for the attackers to make money. Most phishing allows the attackers to steal banking login information or credit card payment details. This has a direct financial reward.

Other types of phishing like Facebook or Netflix provide rewards as well, but not necessarily a direct financial one.

If you do not yet have two factor authentications enabled at your financial institution online portal then here’s a friendly reminder to get that enabled as soon as possible!

Here are some other examples of malware that we have seen associated with these compromised environments:

malware-example
./wp-ver.php

malware-example
Infected ./wp-blog-header.php

malware-example
Infected ./wp-includes/functions.php

malware-example
Backdoor in ./wp-includes/js/jcrop/jcrop/index.php

malware-example
Infected ./index.php

These are just a few examples. The malware may vary from infected website to infected website. As you can see in the provided examples the obfuscation used in the different files is quite similar to one another.

If you can determine a rough time frame when the infection occurred (by checking the last modified dates of some of the infected files) you can run an SSH command to find other files modified around the same time. For example, if you determine that the infection occurred roughly fifteen days ago, the following command will show you other files that may be infected:
$ find ./ -type f -mtime -15

You could also use a “micropattern” to search through the contents of the files to find obfuscated code. Using the examples above I might use the “grep” command for the following string:
${“\x

Reinfecting processes

In some instances, the malware will spawn malicious processes running on the server which immediately reinfect some of the files; most commonly the following:
./index.php
./.htaccess

The malware will chmod the files to 444 preventing them from being modified. If you see this behaviour occurring the malicious process(es) will need to be killed off via SSH using the following command:
kill -9

With the pid being the process ID. Oftentimes the malicious process is referencing an obscure PHP file. For example:

php-file

In the above example you would run:
kill -9 6727

To see all running processes on the server you can run:
ps -aux

Be careful with killing off processes that you are unsure about. It could potentially bring down the website or server, particularly if the commands are run as the root user.

Once the bogus process(es) are nuked you can proceed to remove the malware from the affected files.
Be warned: If the infection is left untreated it will quickly respawn the process(es). You may need to take your website offline during this process by use of an .htaccess file that denies all requests to the website or by renaming public_html entirely.

★KILL OFF ALL SPAWNING MALICIOUS PROCESSES!

In Conclusion

The AnonymousFox hack is a complicated, labour-intensive compromise to remediate. If you’d like our assistance with getting rid of the malware you can sign up for our security services.

If you’d prefer to give it a shot yourself, here are the steps from this article condensed into a few handy dandy bullet points:

★ Make a backup of your files and database before proceeding
★ Take your website offline temporarily for the remediation process (not necessary but sometimes helpful)
★ Remove malicious plugins, ini files, .htaccess files, and malware from infected core/theme/plugin files
★ Kill off any bogus processes running on the server
★ Change your wp-admin user name back to its proper name using a database management tool like PHPMyAdmin or Adminer
★ Remove any bogus wp-admin administrator accounts
★ Remove malicious email addresses from cPanel interface
★ Reset the contact email back to default
★ Enable symlink protection
★ Safely remove symlink bomb directories
★ Disable cPanel password reset
★ Change wp-admin administrator, cPanel and database passwords
Secure your wp-admin dashboard
★ Update all plugins, themes, and core CMS files
★ Place your website behind a firewall

Credits

Security Contributors:

Ben Martin – Author
Security Researcher | @_jamsec

Cesar Anjos
Security Researcher

Ashley Sand
Technical Account Manager I|@ashley_sand

Allison Bondi
Marketing Specialist

Madiha Munawar
Graphic Designer | @Maddie_318