Recently, Learnitive survived an #AnonymousFox infection. In this post we’ll describe what AnonymousFox is and how it works, describe common indicators of compromise, and outline the steps you can take to mitigate risk of an infection. This articles was first published at the Learntive.com/blog.
What are the signs of an AnonymousFox infection?
AnonymousFox infections are most commonly associated with phishing payloads, spam, and redirects to scam or malware sites. That being said, there are a couple of key indicators to look out for.
The script we used for the recent AnonymousFox infection removal.
!/bin/bash
rm -rf load.php
rm -rf public/assets/vendors/fontawesome/js/settings.php
rm -rf resources/sass/learningPage/load.php
rm -rf public/assets/admin/css/skins/admin.php
rm -rf public/assets/admin/vendor/wp-login.php
rm -rf public/assets/frontend/default/landing/sass/theme-styles/themes.php
rm -rf public/store/1129
rm -rf public/assets/admin/css/skins/admin.php
rm -rf public/assets/admin/fonts/admin.php
rm -rf public/assets/admin/vendor/wp-login.php
rm -rf public/assets/admin/css/skins/license.php
rm -rf public/load.php
rm -rf public/css
rm -rf public/wp-admin
rm -rf public/wp-includes
rm -rf public/css/load.php
rm -rf public/assets/vendors/fontawesome/js/settings.php
rm -rf public/assets/admin/css/skins/license.php
rm -rf public/assets/admin/fonts/admin.php
rm -rf public/assets/frontend/default/landing/sass/theme-styles/themes.php
rm -rf public/assets/admin/css/skins/admin.php
rm -rf public/assets/admin/vendor/wp-login.php
rm -rf public/images
rm -rf load.php
rm -rf index.php
rm -rf public/years.php
rm -rf lock360.php
Some AnonymousFox tools create malicious server processes that constantly reinfect files until they are killed off.
Most commonly, the malware chmod’s the ./index.php and ./.htaccess files to 444 to prevent them from being modified. We often find the processes referencing an obscure PHP file in the compromised environment.
Here is an unphp example of the hacked index.php code.
If a number of unknown or suspicious processes are running on your server and they respawn shortly after clearing them, this may be an indication that you’ve been infected by AnonymousFox.
You’ll want to exercise caution when killing off processes. If commands are run as the root user, they can potentially bring down the website or server. This is where assistance from your hosting provider can come in handy.
Once the processes have been successfully removed, you can proceed with removing the malware from any affected files in your environment.
The .htaccess malware
AnonymousFox infections commonly include hundreds — or even thousands — of .htaccess files which serve to disrupt the normal function of the website.
This .htaccess malware can be found littered throughout the website environment to deny PHP execution and disrupt access to files — and, depending on the location, can prevent website admins from performing basic updates, post modifications, or even regular maintenance tasks.
How to clean up an AnonymousFox hack?
- Delete unfamiliar or unused plugins, themes, and other extensible components.
- Check for and safely remove unrecognized symlinks, then enable symlink protection if it hasn’t already. (You may need to check with your hosting provider on this matter.)
- Remove suspicious admin accounts in the database, update your usernames and passwords.
- Check for and remove any unrecognizable email accounts.
- Search for and remove bogus .htaccess files from your environment.
- Kill off spawning malicious processes.
- Check for and remove malicious cron jobs.
How to protect your site against AnonymousFox?
- Secure and restrict access to your admin panels.
- Keep all software up to date with the latest patches — including core CMS, plugins, themes, Apache, PHP, WHM/cPanel, and other extensible components.
- Remove unused software and components to create fewer entry points.
- Use secure passwords and multi-factor authentication.
- Isolate your website to prevent cross-site contamination.
- Create and set up an automatic backup schedule for your website.
- Use a web application firewall to block brute force attacks, virtually patch known vulnerabilities, and mitigate DDoS.
- Use cloudflare DNS.
- Block all these websites to access your site.
This post is inspired by the CESAR ANJOS's original post: How to Find & Clean Up the AnonymousFox Hack.
What is Learnitive?
The Learnitive (Learn + interactive) is an interactive and advanced e-learning platform. It not only gives you the opportunity to watch lessons with video, but also allows you to execute interactive illustrations, codes and OS commands inside your browser! It supports 50+ programming languages.
Join Learnitive today!
Top comments (0)