admin user changed to name anonimousfox

he has used this file on a plugin three-column-screen-layout.php

IDK. I have five sites hit with this Anonymous Fox hack over the past week. Some of them years old and not updated, one was set up with a premium paid theme two months ago (August 2021) and everything was newly installed at the time. MageFix is suggesting that WordPress is allowing malicious scripts to get injected, and they can dive into cPanel and start changing things in cPanel as well as WordPress. This is what I’ve been seeing. In one case, all plugins and themes were within two months of being updated. Your link says the solution is to update WordPress versions, but one of my first sites hacked is running 5.8.1. I think we may need something more specific than update your stuff and pay for your plugins.

Hi. I was hit lately as well with this hack and it seems to be able to jump from cPanel to cPanel inside the entire server… it keeps changing the user name. No strange files found inside the WP install…

@coadr93 , yes. The Anonymous Fox toolkit has a reputation for infecting WordPress and then using WHM / cPanel to jump between cPanel accounts. Although, in my experience, it can only jump to other cPanel accounts that have WordPress. I think it “lives” in WordPress, but can travel through cPanel as well as change cPanel passwords and set up and use cPanel email accounts from its home in WordPress.

Here is the WordFence writeup on the cPanel vulnerability: https://www.wordfence.com/blog/2021/06/service-vulnerabilities-shared-hosting-symlink-security-issue-still-widely-exploited-on-unpatched-servers/

I am surprised you don’t see suspicious files. Do you have a plugin that identifies suspicious files? For me, Anonymous Fox always started with extraneous plugins, zip files, and php files.

We had five affected sites. We had to rebuild four of them, and managed to save one. Out of 250 websites, no static/hand-coded site or associated cPanel was affected. Just WordPress. After rebuilding/cleaning the sites and adding a different firewall/security plugin, we have had no problems. Can’t tell if we are better protected or if the hacker just moved on to the next server.

Hi!
I got the same issue. Admin account created, several email addresses created in Cpanel, did a reinstall of wordpress through ftp/cpanel replacing all folders except the wp-content and the database, which was from a backup from a few days earlier when I was already infected. The backup before that was from January and would change quite some contents on the site, so I took the risk (not really sure if it matters in the case of Anonymousfox)

I was able to change all passwords in cpanel and wp-admin and install Wordfence and Ithemes with 2AF logins and since a bit more then 24 hours now that I don’t have any new email/users/plugins surprises in wordpress, cpanel nor the database. I wonder if it worked. What could I do exactly to be sure, since the security plugin scans don’t find anything?

Rod, in response to “What could I do exactly to be sure, since the security plugin scans don’t find anything?”

If you have WHM access (which is over cPanel), there is an inclusive scanner called ImunifyAV. They don’t have overlapping products with iThemes, so I am hoping it’s okay to mention them here. ImmunifyAV will provide an additional scan of your whole server (or virtual server). We’ve been enjoying that. In today’s heightened attack environment, our clients have also been getting their cPanel’s broken into. The hacking programs do some things that would be outside the scope of a WordPress plugin firewall/scanner to detect. Or our clients have websites that we host but don’t manage – where no firewall has been installed. ImunifyAV helps to idenfity threats those threats as well.

Another provider that’s been super helpful and has services that do not overlap with iThemes is FixRunner. For $150, they’ll download your site, clean it, and upload a clean version to your server.

Hi @gary-n-galax Thank you for sharing. I don’t think I have access to WHM; I can’t find ImumnifiAV anywhere in Cpanel.