cpanel login after AnonmousFox hack
After an attack by AnonymousFox, with a lot of effort, I have regained control of the server.
If I try to login to cpanel directly from WHMCS I get in no worries.
However if I try to login from the login page it fails with
the log /usr/local/cpanel/logs/error_log shows
somewhere, no matter which user name I try, it seems to be attempting to get in as the user "fox" I can't find anything in /etc/passwd that would cause this, all users seem to be there. Any ideas on what is happening here and how to solve it?
A network error occurred during your login request. Please try again. If this condition persists, contact your network service provider.
the log /usr/local/cpanel/logs/error_log shows
cpsrvd 3270daefd1ff: Failed to lookup the password file entry for the user "fox"
[2020-01-23 18:08:45 +1000] info [cpaneld] Internal Server Error: "POST /login/?login_only=1 HTTP/1.1" 500 Error ID 3270daefd1ff
somewhere, no matter which user name I try, it seems to be attempting to get in as the user "fox" I can't find anything in /etc/passwd that would cause this, all users seem to be there. Any ideas on what is happening here and how to solve it?
-
I just found /var/cpanel/pw.cache/2:1391 the content is {"VERSION":"1.01","cachetime":1579644017,"contents":["fox","$6$BOdRNoFC$XcYWiJ.DIfoGxh214qK1GrQtnMS2j/6gcY5P5oBu7q.0Q3rAUn4nNR2gARMmxTv/3No1nJ.LJ2S/OP0G9js/81","1391","1392","","","","/home/fox","/bin/bash","7","18282",1579644017,1579691683],"hcachetime":1579691683} there is no directory /home/fox 0 -
OK...this may help someone else down the track. A lot of grep-ing and I eventually discovered /var/cpanel/resellers had a single line "fox:all" Removing that line gave me full access again. 0 -
Do you use wordpress by any chance. Keen to know what this hack is I came across a number of references to wordpress, 0 -
I am pretty certain it was a wordpress hack. Stupid me, I had a wordpres site on the same account as WHMCS so once they got in via WP they got into WHMCS and ended up with root access. WHMCS is now isolated. It has been a very painful 24 hours but looks like it is all over apart from cleaning up as the Imunify360 scan finds infected files. 0 -
I'm glad you were able to get this resolved and thanks for posting the details here, as it will help others. Thanks! 0 -
Hi everybody. Is there any useful link you guys can provide on how to prevent anonymousfox from breaking in? If it enters by injecting executable files thru vulnerable WordPress plugins, it does mean that cPanel have a vulnerability allowing injected files to get root access. It is exploiting a bug in cPanel? or is there any current WHM configuration you can enforce to prevent that? Thanks in advance 0 -
The anonymousfox vulnerability, caused by running vulnerable scripts on a cPanel account does not allow for root access @kentbrockman Allowing vulnerable content on the server which in turn allows a way for an attacker to obtain access to the cPanel password reset does not constitute a bug. What ultimately should be done here is remove the vulnerable content. You can also disable password resets for cPanel accounts to eliminate the ability for an attacker taking advantage of a vulnerable script to be able to reset the contact email and in turn reset the password, but if you don't get rid of the vulnerability they can continue to manipulate data in other ways. The issue needs to be resolved at the root of it, addressing symptoms of an issue will only get you so far. 0 -
You can also disable password resets for cPanel accounts to eliminate the ability for an attacker taking advantage of a vulnerable script to be able to reset the contact email and in turn reset the password,...
Thanks Lauren. I know you must attack the root causes, but in a shared scenario with hundreds to thousands of websites spread across lots of servers, you obviously cannot be fully aware of what every customer upload or if security measures are in place. I will disable password recovery and that should help a lot, yes. Thanks for the tip, that's the kind of idea I was looking for!0 -
Looks like this Anonymousfox hack has hit us too. Not sure how it started but we've been battling it with the help of our provider for a while. Constantly changing the password didn't help. Thanks for the clue to look up .contactemail file for the email address. We've also turned off password recovery. However, they continue to still login. So far only one account is left that keeps getting hacked into. Today we've tried turning on 2FA just for that account. AND disable File Manager for all accounts. Imunity360 has been a lifesaver to immediately deal with the PHP uploads. 0 -
I guess we all here are tired of this AnonymousFox thing. Well, I want to share what's working for us. Implement it and this will be a shot in the knees for this virus. 1) Disable password reset. 2) On WHM list your accounts sorted by contact email, and try to determine if non-sensical addresses are present. Double check and fix what you consider wrong, as they may be already modified. 3) On Apache Configuration, enable Apache Symlink Protection (beware: you need FollowSymlinks and SymLinksIfOwnerMatch active first). 4) On Apache Configuration > Include Editor > Post VirtualHost Include > All Versions, add the below sequence, which are the iThemes htaccess filters, which will stop the most common forms of virus and backdoors with a shot in their feet. 5) Run Imunify AV, even the free version is enough, in all of your accounts, with RapidScan and Binary (ELF) malware detection both enabled, and delete/clean infected files. These are the htaccess filters mentioned in step 4: [CODE=apacheconf]# BEGIN iThemes Security - No modifiques ni borres esta l"nea # iThemes Security Config Details: 2 # Pasar a trav"s de la cabecera de autorizaci"n. RewriteEngine On RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] # Activar la caracter"stica de lista de bloqueo de HackRepair.com - Seguridad > Ajustes > Usuarios prohibidos > Lista de bloqueo por defecto # Start HackRepair.com Blacklist RewriteEngine on # Start Custom Agent Blocking RewriteCond %{HTTP_USER_AGENT} "^SemrushBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^AhrefsBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^bingbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^PetalBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^DotBot" [NC,OR] # End Custom Agent Blocking # Start Abuse Agent Blocking RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*Indy" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*NEWT" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Maxthon$" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SeaMonkey$" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Acunetix" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^binlar" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^BlackWidow" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Bolt 0" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^BOT for JCE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Bot mailto\:craftbot@yahoo\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^casper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^checkprivacy" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^ChinaClaw" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^clshttp" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^cmsworldmap" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Custo" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Default Browser 0" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^diavol" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^DIIbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^DISCo" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^dotbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Download Demon" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^eCatch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EirGrabber" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EmailCollector" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EmailSiphon" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EmailWolf" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Express WebPictures" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^extract" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^ExtractorPro" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EyeNetIE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^feedfinder" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^FHscan" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^FlashGet" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^flicky" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^g00g1e" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^GetRight" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^GetWeb\!" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Go\!Zilla" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Go\-Ahead\-Got\-It" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^grab" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^GrabNet" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Grafula" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^harvest" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^HMView" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Image Stripper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Image Sucker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^InterGET" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Internet Ninja" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^InternetSeer\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^jakarta" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Java" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^JetCar" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^JOC Web Spider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^kanagawa" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^kmccrew" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^larbin" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^LeechFTP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^libwww" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Mass Downloader" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^microsoft\.url" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^MIDown tool" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^miner" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Mister PiX" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^MSFrontPage" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Navroad" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NearSite" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Net Vampire" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NetAnts" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NetSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NetZIP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^nutch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Octopus" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Offline Explorer" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Offline Navigator" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^PageGrabber" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Papa Foto" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^pavuk" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^pcBrowser" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^PeoplePal" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^planetwork" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^psbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^purebot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^pycurl" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^RealDownload" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^ReGet" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Rippers 0" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^sitecheck\.internetseer\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SiteSnagger" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^skygrid" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SmartDownload" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^sucker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SuperBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SuperHTTP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Surfbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^tAkeOut" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Teleport Pro" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Toata dragostea mea pentru diavola" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^turnit" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^vikspider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^VoidEYE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Web Image Collector" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebAuto" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebBandit" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebCopier" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebFetch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebGo IS" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebLeacher" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebReaper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebSauger" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Website eXtractor" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Website Quester" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebStripper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebWhacker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebZIP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Widow" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WPScan" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WWW\-Mechanize" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WWWOFFLE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Xaldon WebSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Zeus" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^zmeu" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "360Spider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "CazoodleBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "discobot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "EasouSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ecxi" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "GT\:\:WWW" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "heritrix" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "HTTP\:\:Lite" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "HTTrack" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ia_archiver" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "id\-search" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "IDBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Indy Library" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "IRLbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ISC Systems iRc Search 2\.1" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "LinksCrawler" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "LinksManager\.com_bot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "linkwalker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "lwp\-trivial" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "MFC_Tear_Sample" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Microsoft URL Control" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Missigua Locator" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "MJ12bot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "panscient\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "PECL\:\:HTTP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "PHPCrawl" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "PleaseCrawl" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "SBIder" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "SearchmetricsBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Snoopy" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Steeler" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "URI\:\:Fetch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "urllib" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Web Sucker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "webalta" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "WebCollage" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Wells Search II" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "WEP Search" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "XoviBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "YisouSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "zermelo" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ZyBorg" [NC,OR] # End Abuse Agent Blocking # Start Abuse HTTP Referrer Blocking RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?semalt\.com" [NC,OR] RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?kambasoft\.com" [NC,OR] RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?savetubevideo\.com" [NC] # End Abuse HTTP Referrer Blocking RewriteRule ^.* - [F,L] # End HackRepair.com Blacklist, http://pastebin.com/u/hackrepair # Desactivar XML-RPC - Seguridad > Ajustes > Ajustes WordPress > XML-RPC Require all denied Order allow,deny Deny from all # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema Require all denied Order allow,deny Deny from all Require all denied Order allow,deny Deny from all # Desactivar navegaci"n por directorio - Seguridad > Ajustes > Sistema de ajustes > Navegaci"n por directorio Options -Indexes RewriteEngine On # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema RewriteRule ^wp-admin/install\.php$ - [F] RewriteRule ^wp-admin/includes/ - [F] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F] RewriteRule ^wp-includes/theme-compat/ - [F] RewriteCond %{REQUEST_FILENAME} -f RewriteRule (^|.*/)\.(git|svn)/.* - [F] # Desactivar PHP en Uploads - Seguridad > Ajustes > Ajustes del sistema > PHP en Uploads RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Desactivar PHP en los Plugins - Seguridad > Ajustes > Mejoras del sistema > PHP en Plugins RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Desactivar PHP en Temas - Seguridad > Ajustes > Mejoras del sistema > PHP en Temas RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Filtrar cadenas de consulta sospechosas en la URL - Seguridad > Ajustes > Ajustes del sistema > Cadenas de consulta sospechosas RewriteCond %{QUERY_STRING} \.\.\/ [OR] RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR] RewriteCond %{QUERY_STRING} etc/passwd [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} https?: [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR] RewriteCond %{QUERY_STRING} %24&x [NC,OR] RewriteCond %{QUERY_STRING} 127\.0 [NC,OR] RewriteCond %{QUERY_STRING} (^|\W)(globals|encode|localhost|loopback)($|\W) [NC,OR] RewriteCond %{QUERY_STRING} (^|\W)(concat|insert|union|declare)($|\W) [NC,OR] RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC] RewriteCond %{QUERY_STRING} !^loggedout=true RewriteCond %{QUERY_STRING} !^action=jetpack-sso RewriteCond %{QUERY_STRING} !^action=rp RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_ RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com RewriteRule ^.* - [F] # END iThemes Security - No modifiques ni borres esta l"nea
Sorry, it's in spanish my native locale. Feel free to use it all or pick segments of interest. The most important parts are: blockage of XMLRPC and remote PHP execution of files within plugins/themes/uploads. Hope this help others to stop this and other virii. Fixes and improvements are more than welcomed. Good luck people.0 -
I guess we all here are tired of this AnonymousFox thing. Well, I want to share what's working for us. Implement it and this will be a shot in the knees for this virus. 1) Disable password reset. 2) On WHM list your accounts sorted by contact email, and try to determine if non-sensical addresses are present. Double check and fix what you consider wrong, as they may be already modified. 3) On Apache Configuration, enable Apache Symlink Protection (beware: you need FollowSymlinks and SymLinksIfOwnerMatch active first). 4) On Apache Configuration > Include Editor > Post VirtualHost Include > All Versions, add the below sequence, which are the iThemes htaccess filters, which will stop the most common forms of virus and backdoors with a shot in their feet. 5) Run Imunify AV, even the free version is enough, in all of your accounts, with RapidScan and Binary (ELF) malware detection both enabled, and delete/clean infected files. These are the htaccess filters mentioned in step 4: [CODE=apacheconf]# BEGIN iThemes Security - No modifiques ni borres esta l"nea # iThemes Security Config Details: 2 # Pasar a trav"s de la cabecera de autorizaci"n. RewriteEngine On RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] # Activar la caracter"stica de lista de bloqueo de HackRepair.com - Seguridad > Ajustes > Usuarios prohibidos > Lista de bloqueo por defecto # Start HackRepair.com Blacklist RewriteEngine on # Start Custom Agent Blocking RewriteCond %{HTTP_USER_AGENT} "^SemrushBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^AhrefsBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^bingbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^PetalBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^DotBot" [NC,OR] # End Custom Agent Blocking # Start Abuse Agent Blocking RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*Indy" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*NEWT" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Maxthon$" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SeaMonkey$" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Acunetix" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^binlar" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^BlackWidow" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Bolt 0" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^BOT for JCE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Bot mailto\:craftbot@yahoo\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^casper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^checkprivacy" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^ChinaClaw" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^clshttp" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^cmsworldmap" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Custo" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Default Browser 0" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^diavol" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^DIIbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^DISCo" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^dotbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Download Demon" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^eCatch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EirGrabber" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EmailCollector" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EmailSiphon" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EmailWolf" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Express WebPictures" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^extract" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^ExtractorPro" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EyeNetIE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^feedfinder" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^FHscan" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^FlashGet" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^flicky" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^g00g1e" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^GetRight" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^GetWeb\!" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Go\!Zilla" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Go\-Ahead\-Got\-It" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^grab" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^GrabNet" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Grafula" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^harvest" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^HMView" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Image Stripper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Image Sucker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^InterGET" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Internet Ninja" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^InternetSeer\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^jakarta" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Java" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^JetCar" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^JOC Web Spider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^kanagawa" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^kmccrew" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^larbin" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^LeechFTP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^libwww" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Mass Downloader" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^microsoft\.url" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^MIDown tool" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^miner" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Mister PiX" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^MSFrontPage" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Navroad" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NearSite" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Net Vampire" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NetAnts" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NetSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NetZIP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^nutch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Octopus" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Offline Explorer" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Offline Navigator" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^PageGrabber" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Papa Foto" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^pavuk" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^pcBrowser" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^PeoplePal" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^planetwork" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^psbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^purebot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^pycurl" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^RealDownload" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^ReGet" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Rippers 0" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^sitecheck\.internetseer\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SiteSnagger" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^skygrid" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SmartDownload" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^sucker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SuperBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SuperHTTP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Surfbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^tAkeOut" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Teleport Pro" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Toata dragostea mea pentru diavola" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^turnit" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^vikspider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^VoidEYE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Web Image Collector" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebAuto" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebBandit" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebCopier" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebFetch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebGo IS" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebLeacher" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebReaper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebSauger" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Website eXtractor" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Website Quester" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebStripper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebWhacker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebZIP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Widow" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WPScan" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WWW\-Mechanize" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WWWOFFLE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Xaldon WebSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Zeus" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^zmeu" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "360Spider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "CazoodleBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "discobot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "EasouSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ecxi" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "GT\:\:WWW" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "heritrix" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "HTTP\:\:Lite" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "HTTrack" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ia_archiver" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "id\-search" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "IDBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Indy Library" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "IRLbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ISC Systems iRc Search 2\.1" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "LinksCrawler" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "LinksManager\.com_bot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "linkwalker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "lwp\-trivial" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "MFC_Tear_Sample" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Microsoft URL Control" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Missigua Locator" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "MJ12bot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "panscient\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "PECL\:\:HTTP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "PHPCrawl" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "PleaseCrawl" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "SBIder" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "SearchmetricsBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Snoopy" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Steeler" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "URI\:\:Fetch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "urllib" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Web Sucker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "webalta" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "WebCollage" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Wells Search II" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "WEP Search" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "XoviBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "YisouSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "zermelo" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ZyBorg" [NC,OR] # End Abuse Agent Blocking # Start Abuse HTTP Referrer Blocking RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?semalt\.com" [NC,OR] RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?kambasoft\.com" [NC,OR] RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?savetubevideo\.com" [NC] # End Abuse HTTP Referrer Blocking RewriteRule ^.* - [F,L] # End HackRepair.com Blacklist, http://pastebin.com/u/hackrepair # Desactivar XML-RPC - Seguridad > Ajustes > Ajustes WordPress > XML-RPC Require all denied Order allow,deny Deny from all # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema Require all denied Order allow,deny Deny from all Require all denied Order allow,deny Deny from all # Desactivar navegaci"n por directorio - Seguridad > Ajustes > Sistema de ajustes > Navegaci"n por directorio Options -Indexes RewriteEngine On # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema RewriteRule ^wp-admin/install\.php$ - [F] RewriteRule ^wp-admin/includes/ - [F] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F] RewriteRule ^wp-includes/theme-compat/ - [F] RewriteCond %{REQUEST_FILENAME} -f RewriteRule (^|.*/)\.(git|svn)/.* - [F] # Desactivar PHP en Uploads - Seguridad > Ajustes > Ajustes del sistema > PHP en Uploads RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Desactivar PHP en los Plugins - Seguridad > Ajustes > Mejoras del sistema > PHP en Plugins RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Desactivar PHP en Temas - Seguridad > Ajustes > Mejoras del sistema > PHP en Temas RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Filtrar cadenas de consulta sospechosas en la URL - Seguridad > Ajustes > Ajustes del sistema > Cadenas de consulta sospechosas RewriteCond %{QUERY_STRING} \.\.\/ [OR] RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR] RewriteCond %{QUERY_STRING} etc/passwd [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} https?: [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR] RewriteCond %{QUERY_STRING} %24&x [NC,OR] RewriteCond %{QUERY_STRING} 127\.0 [NC,OR] RewriteCond %{QUERY_STRING} (^|\W)(globals|encode|localhost|loopback)($|\W) [NC,OR] RewriteCond %{QUERY_STRING} (^|\W)(concat|insert|union|declare)($|\W) [NC,OR] RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC] RewriteCond %{QUERY_STRING} !^loggedout=true RewriteCond %{QUERY_STRING} !^action=jetpack-sso RewriteCond %{QUERY_STRING} !^action=rp RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_ RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com RewriteRule ^.* - [F] # END iThemes Security - No modifiques ni borres esta l"nea
Sorry, it's in spanish my native locale. Feel free to use it all or pick segments of interest. The most important parts are: blockage of XMLRPC and remote PHP execution of files within plugins/themes/uploads. Hope this help others to stop this and other virii. Fixes and improvements are more than welcomed. Good luck people.
Hola Kent, Me podr"as ayudar con unas dudas?0 -
Hola Kent, Me podr"as ayudar con unas dudas?
Yes! Send me a private message, or even better, publish your questions here, in english, so that others can benefit from the answer. (S"! Enviame un mensaje privado, o incluso mejor, public" la consulta aqu", en ingl"s, as" a otros tambi"n les puede servir la respuesta.)0 -
Yes! Send me a private message, or even better, publish your questions here, in english, so that others can benefit from the answer. (S"! Enviame un mensaje privado, o incluso mejor, public" la consulta aqu", en ingl"s, as" a otros tambi"n les puede servir la respuesta.)
Soy nuevo ac", c"mo te env"o un mensaje privado?0 -
I guess we all here are tired of this AnonymousFox thing. Well, I want to share what's working for us. Implement it and this will be a shot in the knees for this virus. 1) Disable password reset. 2) On WHM list your accounts sorted by contact email, and try to determine if non-sensical addresses are present. Double check and fix what you consider wrong, as they may be already modified. 3) On Apache Configuration, enable Apache Symlink Protection (beware: you need FollowSymlinks and SymLinksIfOwnerMatch active first). 4) On Apache Configuration > Include Editor > Post VirtualHost Include > All Versions, add the below sequence, which are the iThemes htaccess filters, which will stop the most common forms of virus and backdoors with a shot in their feet. 5) Run Imunify AV, even the free version is enough, in all of your accounts, with RapidScan and Binary (ELF) malware detection both enabled, and delete/clean infected files. These are the htaccess filters mentioned in step 4: [CODE=apacheconf]# BEGIN iThemes Security - No modifiques ni borres esta l"nea # iThemes Security Config Details: 2 # Pasar a trav"s de la cabecera de autorizaci"n. RewriteEngine On RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] # Activar la caracter"stica de lista de bloqueo de HackRepair.com - Seguridad > Ajustes > Usuarios prohibidos > Lista de bloqueo por defecto # Start HackRepair.com Blacklist RewriteEngine on # Start Custom Agent Blocking RewriteCond %{HTTP_USER_AGENT} "^SemrushBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^AhrefsBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^bingbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^PetalBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^DotBot" [NC,OR] # End Custom Agent Blocking # Start Abuse Agent Blocking RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*Indy" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*NEWT" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Maxthon$" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SeaMonkey$" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Acunetix" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^binlar" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^BlackWidow" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Bolt 0" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^BOT for JCE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Bot mailto\:craftbot@yahoo\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^casper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^checkprivacy" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^ChinaClaw" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^clshttp" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^cmsworldmap" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Custo" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Default Browser 0" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^diavol" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^DIIbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^DISCo" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^dotbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Download Demon" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^eCatch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EirGrabber" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EmailCollector" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EmailSiphon" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EmailWolf" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Express WebPictures" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^extract" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^ExtractorPro" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EyeNetIE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^feedfinder" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^FHscan" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^FlashGet" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^flicky" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^g00g1e" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^GetRight" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^GetWeb\!" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Go\!Zilla" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Go\-Ahead\-Got\-It" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^grab" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^GrabNet" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Grafula" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^harvest" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^HMView" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Image Stripper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Image Sucker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^InterGET" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Internet Ninja" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^InternetSeer\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^jakarta" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Java" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^JetCar" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^JOC Web Spider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^kanagawa" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^kmccrew" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^larbin" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^LeechFTP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^libwww" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Mass Downloader" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^microsoft\.url" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^MIDown tool" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^miner" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Mister PiX" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^MSFrontPage" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Navroad" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NearSite" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Net Vampire" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NetAnts" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NetSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NetZIP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^nutch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Octopus" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Offline Explorer" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Offline Navigator" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^PageGrabber" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Papa Foto" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^pavuk" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^pcBrowser" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^PeoplePal" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^planetwork" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^psbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^purebot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^pycurl" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^RealDownload" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^ReGet" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Rippers 0" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^sitecheck\.internetseer\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SiteSnagger" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^skygrid" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SmartDownload" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^sucker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SuperBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SuperHTTP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Surfbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^tAkeOut" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Teleport Pro" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Toata dragostea mea pentru diavola" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^turnit" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^vikspider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^VoidEYE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Web Image Collector" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebAuto" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebBandit" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebCopier" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebFetch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebGo IS" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebLeacher" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebReaper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebSauger" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Website eXtractor" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Website Quester" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebStripper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebWhacker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebZIP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Widow" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WPScan" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WWW\-Mechanize" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WWWOFFLE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Xaldon WebSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Zeus" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^zmeu" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "360Spider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "CazoodleBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "discobot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "EasouSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ecxi" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "GT\:\:WWW" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "heritrix" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "HTTP\:\:Lite" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "HTTrack" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ia_archiver" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "id\-search" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "IDBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Indy Library" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "IRLbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ISC Systems iRc Search 2\.1" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "LinksCrawler" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "LinksManager\.com_bot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "linkwalker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "lwp\-trivial" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "MFC_Tear_Sample" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Microsoft URL Control" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Missigua Locator" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "MJ12bot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "panscient\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "PECL\:\:HTTP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "PHPCrawl" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "PleaseCrawl" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "SBIder" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "SearchmetricsBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Snoopy" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Steeler" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "URI\:\:Fetch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "urllib" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Web Sucker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "webalta" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "WebCollage" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Wells Search II" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "WEP Search" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "XoviBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "YisouSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "zermelo" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ZyBorg" [NC,OR] # End Abuse Agent Blocking # Start Abuse HTTP Referrer Blocking RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?semalt\.com" [NC,OR] RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?kambasoft\.com" [NC,OR] RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?savetubevideo\.com" [NC] # End Abuse HTTP Referrer Blocking RewriteRule ^.* - [F,L] # End HackRepair.com Blacklist, http://pastebin.com/u/hackrepair # Desactivar XML-RPC - Seguridad > Ajustes > Ajustes WordPress > XML-RPC Require all denied Order allow,deny Deny from all # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema Require all denied Order allow,deny Deny from all Require all denied Order allow,deny Deny from all # Desactivar navegaci"n por directorio - Seguridad > Ajustes > Sistema de ajustes > Navegaci"n por directorio Options -Indexes RewriteEngine On # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema RewriteRule ^wp-admin/install\.php$ - [F] RewriteRule ^wp-admin/includes/ - [F] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F] RewriteRule ^wp-includes/theme-compat/ - [F] RewriteCond %{REQUEST_FILENAME} -f RewriteRule (^|.*/)\.(git|svn)/.* - [F] # Desactivar PHP en Uploads - Seguridad > Ajustes > Ajustes del sistema > PHP en Uploads RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Desactivar PHP en los Plugins - Seguridad > Ajustes > Mejoras del sistema > PHP en Plugins RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Desactivar PHP en Temas - Seguridad > Ajustes > Mejoras del sistema > PHP en Temas RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Filtrar cadenas de consulta sospechosas en la URL - Seguridad > Ajustes > Ajustes del sistema > Cadenas de consulta sospechosas RewriteCond %{QUERY_STRING} \.\.\/ [OR] RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR] RewriteCond %{QUERY_STRING} etc/passwd [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} https?: [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR] RewriteCond %{QUERY_STRING} %24&x [NC,OR] RewriteCond %{QUERY_STRING} 127\.0 [NC,OR] RewriteCond %{QUERY_STRING} (^|\W)(globals|encode|localhost|loopback)($|\W) [NC,OR] RewriteCond %{QUERY_STRING} (^|\W)(concat|insert|union|declare)($|\W) [NC,OR] RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC] RewriteCond %{QUERY_STRING} !^loggedout=true RewriteCond %{QUERY_STRING} !^action=jetpack-sso RewriteCond %{QUERY_STRING} !^action=rp RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_ RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com RewriteRule ^.* - [F] # END iThemes Security - No modifiques ni borres esta l"nea
Sorry, it's in spanish my native locale. Feel free to use it all or pick segments of interest. The most important parts are: blockage of XMLRPC and remote PHP execution of files within plugins/themes/uploads. Hope this help others to stop this and other virii. Fixes and improvements are more than welcomed. Good luck people.
I think this is awesome however I have some concerns. On shared hosting please note blocking below may cause issues due to customers using these SEO tools for seo optimization RewriteCond %{HTTP_USER_AGENT} "^SemrushBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^AhrefsBot" [NC,OR] Blocking PetalBot is an awesome addition as it causes high load now adays. So edit or change what is required. I will be testing this with one client for now and see if the customer is happy. Thanks for the contribution.0 -
Yes I know about concerns regarding Semrush and Ahrefs, but I particularly DON'T CARE. If some customer open a ticket because those service cannot scan their sites, I can move that cPanel to a server where those are specifically allowed. And in the case a customer complain about xmlrpc.php being blocked, I recommend adding an override to their .htaccess so it is allowed again: [CODE=apacheconf]# Allow XML-RPC back again Require all granted Order allow,deny Allow from all # Allow XML-RPC back again 0 -
Yes I know about concerns regarding Semrush and Ahrefs, but I particularly DON'T CARE. If some customer open a ticket because those service cannot scan their sites, I can move that cPanel to a server where those are specifically allowed. And in the case a customer complain about xmlrpc.php being blocked, I recommend adding an override to their .htaccess so it is allowed again: [CODE=apacheconf]# Allow XML-RPC back again Require all granted Order allow,deny Allow from all # Allow XML-RPC back again
Hi Kent, How can I contact you privately? because I need to speak in Spanish with you0 -
Hi Kent, How can I contact you privately? because I need to speak in Spanish with you
Go through my profile details here and you will find my website and the contact information is there. Just follow the breadcrumbs ;-)0 -
I have the hack in one server wit cpanel I have disabled password restore via email, but still creating new mail accounts with smtpfox-random I see some php files into public_html folder, and .htaccess modified. Also, I check in /tmp dir is creating some php files; actually I have a crontab every second with delete all files in /tmp, but its not the solution, obviously. I check users crontab at /var/log/cron but I don't see nothing 0 -
I have the hack in one server wit cpanel I have disabled password restore via email, but still creating new mail accounts with smtpfox-random
Have you modified all the passwords? You should change cPanel/FTP passwords, also the contact email of compromised accounts. WordPress sites are bots' targets of choice, so change admin users' passwords there too. Also, fortify WP installs by blocking remote execution of PHP in uploads/plugins/themes folders.0 -
I have the hack in one server wit cpanel I have disabled password restore via email, but still creating new mail accounts with smtpfox-random I see some php files into public_html folder, and .htaccess modified. Also, I check in /tmp dir is creating some php files; actually I have a crontab every second with delete all files in /tmp, but its not the solution, obviously. I check users crontab at /var/log/cron but I don't see nothing
I've had this problem with the anonymous fox hack over the past few months. I couldn't see how they kept hacking the server but it seems to be a few different ways. Some activity I saw was brute forcing Wordpress logins. There were some successful logins and they installed malicious PHP files into the Wordpress content folders. When these PHP files were run, they did a lot of damage. It may have been multiple hackers. They modified htaccess files, created symlinks to the server root and that allowed listing all accounts on the server and they hacked every Wordpress site on the server. Maybe I misconfigured something but I was really surprised someone was able to put a symlink mirroring my entire server into the public folder. I'd like to be able to disable symlinks and can't see how. They setup phishing websites for Microsoft logins and I got a warning from Microsoft and had my server blacklisted. They tried to send tens of thousands of spam emails. They posted spam content onto Wordpress blogs. They setup a wildcard domain so that multiple addresses pointed to the same hacked sites. They managed to get a CPanel login and were using this to add SMTP accounts (smtpfox accounts). It got to the point where I was considering blocking entire countries as the hacks were coming from Russia, China, Ukraine, Philippines etc but they have even been using AWS and Google Cloud compute servers in US and European countries, I reported some of the IPs. After resetting every user's CPanel password and every Wordpress password, things settled down a little but I started noticing similar hacks with new PHP files. I found a compromised Wordpress site and renamed the entire directory. Something replaced parts of the directory with the hack again as soon as I moved it and similarly every time I deleted the index.php file. Checking the user account's processes, it showed multiple php processes running. These were persistent processes that had been spawned by the hack and were designed to keep hacking the site. I had around 8 php processes running. As soon as I stopped those processes, the deleted files were no longer replaced. I assume they are putting the hack into index.php so that every website visitor would restart the persistent hacked php process. This makes it very hard to find and remove when you don't know this is happening because you keep looking for external hacks when they are keeping hacking from the inside and there's no logs for it. My server seems to be fixed now but it has taken months to clean everything up. The easiest way to tell if you've been hacked is to check the modification dates of the files in Wordpress folders and look for suspicious php files and changed htaccess files. Check the access logs for Apache and the domlogs for user accounts that have been hacked. Check the CPanel logs for successful logins from unrecognized IPs. Use iptables or other firewall to blacklist IPs that show frequently in the logs with lots of 404 errors, they are trying to hack the server. If a hack has taken place, reset all CPanel and Wordpress account logins and remove any anonymousfox users that have been added (check Wordpress accounts in the site databases). Check every account for new smtp accounts and delete the smtp accounts. Check every Wordpress folder for modified files and removed the suspicious files. Check every user's running processes (ps -u username) to get process id number. Then inspect each process id using ps -l pid, which will show the path of the php file it was spawned from. What a nightmare to clean up. What would be useful is if CPanel or unix had a mechanism to easily lock down vulnerable filesystem folders or send out a warning when someone writes new files to a particular folder. I've been thinking about making a custom monitoring tool to check log files and the filesystem for suspicious changes. I installed ossec, which gives me warnings about some brute force logins but it doesn't cover Wordpress hacks, CPanel logins or file modifications out of the box. Things I'd like to monitor are: - what files changes were made to public_html folders per account - what email addresses have been added - what subdomains have been added - lists of failed CPanel logins and Apache 404 errors and which IPs are doing this with a country identifier Then have the ability to easily and quickly blacklist IPs. Currently I'm pasting them manually into iptables. CPanel could have a monitoring service if there isn't one already that reports hacks across multiple servers, feeds them into a central IP blacklist database. Each CPanel instance could retrieve the daily list of malicious IPs and block them if they choose to before they get a chance to try hacking them.0 -
I guess we all here are tired of this AnonymousFox thing. Well, I want to share what's working for us. Implement it and this will be a shot in the knees for this virus. 1) Disable password reset. 2) On WHM list your accounts sorted by contact email, and try to determine if non-sensical addresses are present. Double check and fix what you consider wrong, as they may be already modified. 3) On Apache Configuration, enable Apache Symlink Protection (beware: you need FollowSymlinks and SymLinksIfOwnerMatch active first). 4) On Apache Configuration > Include Editor > Post VirtualHost Include > All Versions, add the below sequence, which are the iThemes htaccess filters, which will stop the most common forms of virus and backdoors with a shot in their feet. 5) Run Imunify AV, even the free version is enough, in all of your accounts, with RapidScan and Binary (ELF) malware detection both enabled, and delete/clean infected files. These are the htaccess filters mentioned in step 4: [CODE=apacheconf]# BEGIN iThemes Security - No modifiques ni borres esta l"nea # iThemes Security Config Details: 2 # Pasar a trav"s de la cabecera de autorizaci"n. RewriteEngine On RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] # Activar la caracter"stica de lista de bloqueo de HackRepair.com - Seguridad > Ajustes > Usuarios prohibidos > Lista de bloqueo por defecto # Start HackRepair.com Blacklist RewriteEngine on # Start Custom Agent Blocking RewriteCond %{HTTP_USER_AGENT} "^SemrushBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^AhrefsBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^bingbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^PetalBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^DotBot" [NC,OR] # End Custom Agent Blocking # Start Abuse Agent Blocking RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*Indy" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*NEWT" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Maxthon$" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SeaMonkey$" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Acunetix" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^binlar" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^BlackWidow" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Bolt 0" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^BOT for JCE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Bot mailto\:craftbot@yahoo\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^casper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^checkprivacy" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^ChinaClaw" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^clshttp" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^cmsworldmap" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Custo" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Default Browser 0" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^diavol" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^DIIbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^DISCo" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^dotbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Download Demon" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^eCatch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EirGrabber" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EmailCollector" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EmailSiphon" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EmailWolf" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Express WebPictures" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^extract" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^ExtractorPro" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EyeNetIE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^feedfinder" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^FHscan" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^FlashGet" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^flicky" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^g00g1e" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^GetRight" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^GetWeb\!" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Go\!Zilla" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Go\-Ahead\-Got\-It" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^grab" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^GrabNet" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Grafula" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^harvest" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^HMView" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Image Stripper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Image Sucker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^InterGET" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Internet Ninja" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^InternetSeer\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^jakarta" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Java" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^JetCar" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^JOC Web Spider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^kanagawa" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^kmccrew" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^larbin" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^LeechFTP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^libwww" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Mass Downloader" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^microsoft\.url" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^MIDown tool" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^miner" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Mister PiX" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^MSFrontPage" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Navroad" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NearSite" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Net Vampire" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NetAnts" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NetSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NetZIP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^nutch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Octopus" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Offline Explorer" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Offline Navigator" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^PageGrabber" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Papa Foto" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^pavuk" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^pcBrowser" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^PeoplePal" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^planetwork" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^psbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^purebot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^pycurl" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^RealDownload" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^ReGet" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Rippers 0" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^sitecheck\.internetseer\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SiteSnagger" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^skygrid" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SmartDownload" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^sucker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SuperBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SuperHTTP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Surfbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^tAkeOut" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Teleport Pro" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Toata dragostea mea pentru diavola" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^turnit" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^vikspider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^VoidEYE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Web Image Collector" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebAuto" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebBandit" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebCopier" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebFetch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebGo IS" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebLeacher" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebReaper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebSauger" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Website eXtractor" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Website Quester" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebStripper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebWhacker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebZIP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Widow" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WPScan" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WWW\-Mechanize" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WWWOFFLE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Xaldon WebSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Zeus" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^zmeu" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "360Spider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "CazoodleBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "discobot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "EasouSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ecxi" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "GT\:\:WWW" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "heritrix" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "HTTP\:\:Lite" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "HTTrack" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ia_archiver" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "id\-search" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "IDBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Indy Library" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "IRLbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ISC Systems iRc Search 2\.1" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "LinksCrawler" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "LinksManager\.com_bot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "linkwalker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "lwp\-trivial" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "MFC_Tear_Sample" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Microsoft URL Control" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Missigua Locator" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "MJ12bot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "panscient\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "PECL\:\:HTTP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "PHPCrawl" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "PleaseCrawl" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "SBIder" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "SearchmetricsBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Snoopy" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Steeler" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "URI\:\:Fetch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "urllib" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Web Sucker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "webalta" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "WebCollage" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Wells Search II" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "WEP Search" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "XoviBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "YisouSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "zermelo" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ZyBorg" [NC,OR] # End Abuse Agent Blocking # Start Abuse HTTP Referrer Blocking RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?semalt\.com" [NC,OR] RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?kambasoft\.com" [NC,OR] RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?savetubevideo\.com" [NC] # End Abuse HTTP Referrer Blocking RewriteRule ^.* - [F,L] # End HackRepair.com Blacklist, http://pastebin.com/u/hackrepair # Desactivar XML-RPC - Seguridad > Ajustes > Ajustes WordPress > XML-RPC Require all denied Order allow,deny Deny from all # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema Require all denied Order allow,deny Deny from all Require all denied Order allow,deny Deny from all # Desactivar navegaci"n por directorio - Seguridad > Ajustes > Sistema de ajustes > Navegaci"n por directorio Options -Indexes RewriteEngine On # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema RewriteRule ^wp-admin/install\.php$ - [F] RewriteRule ^wp-admin/includes/ - [F] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F] RewriteRule ^wp-includes/theme-compat/ - [F] RewriteCond %{REQUEST_FILENAME} -f RewriteRule (^|.*/)\.(git|svn)/.* - [F] # Desactivar PHP en Uploads - Seguridad > Ajustes > Ajustes del sistema > PHP en Uploads RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Desactivar PHP en los Plugins - Seguridad > Ajustes > Mejoras del sistema > PHP en Plugins RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Desactivar PHP en Temas - Seguridad > Ajustes > Mejoras del sistema > PHP en Temas RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Filtrar cadenas de consulta sospechosas en la URL - Seguridad > Ajustes > Ajustes del sistema > Cadenas de consulta sospechosas RewriteCond %{QUERY_STRING} \.\.\/ [OR] RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR] RewriteCond %{QUERY_STRING} etc/passwd [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} https?: [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR] RewriteCond %{QUERY_STRING} %24&x [NC,OR] RewriteCond %{QUERY_STRING} 127\.0 [NC,OR] RewriteCond %{QUERY_STRING} (^|\W)(globals|encode|localhost|loopback)($|\W) [NC,OR] RewriteCond %{QUERY_STRING} (^|\W)(concat|insert|union|declare)($|\W) [NC,OR] RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC] RewriteCond %{QUERY_STRING} !^loggedout=true RewriteCond %{QUERY_STRING} !^action=jetpack-sso RewriteCond %{QUERY_STRING} !^action=rp RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_ RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com RewriteRule ^.* - [F] # END iThemes Security - No modifiques ni borres esta l"nea
Sorry, it's in spanish my native locale. Feel free to use it all or pick segments of interest. The most important parts are: blockage of XMLRPC and remote PHP execution of files within plugins/themes/uploads. Hope this help others to stop this and other virii. Fixes and improvements are more than welcomed. Good luck people.
Hello Ken, since I included this in my server jetpack accounts are not working correctly. I've checked what you've done and supposedly it should work. Do you know why? I need to use wordpress.com logins. Thanks!0 -
I guess we all here are tired of this AnonymousFox thing. Well, I want to share what's working for us. Implement it and this will be a shot in the knees for this virus. 1) Disable password reset. 2) On WHM list your accounts sorted by contact email, and try to determine if non-sensical addresses are present. Double check and fix what you consider wrong, as they may be already modified. 3) On Apache Configuration, enable Apache Symlink Protection (beware: you need FollowSymlinks and SymLinksIfOwnerMatch active first). 4) On Apache Configuration > Include Editor > Post VirtualHost Include > All Versions, add the below sequence, which are the iThemes htaccess filters, which will stop the most common forms of virus and backdoors with a shot in their feet. 5) Run Imunify AV, even the free version is enough, in all of your accounts, with RapidScan and Binary (ELF) malware detection both enabled, and delete/clean infected files. These are the htaccess filters mentioned in step 4: [CODE=apacheconf]# BEGIN iThemes Security - No modifiques ni borres esta l"nea # iThemes Security Config Details: 2 # Pasar a trav"s de la cabecera de autorizaci"n. RewriteEngine On RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] # Activar la caracter"stica de lista de bloqueo de HackRepair.com - Seguridad > Ajustes > Usuarios prohibidos > Lista de bloqueo por defecto # Start HackRepair.com Blacklist RewriteEngine on # Start Custom Agent Blocking RewriteCond %{HTTP_USER_AGENT} "^SemrushBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^AhrefsBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^bingbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^PetalBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^DotBot" [NC,OR] # End Custom Agent Blocking # Start Abuse Agent Blocking RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*Indy" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Mozilla.*NEWT" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Maxthon$" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SeaMonkey$" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Acunetix" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^binlar" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^BlackWidow" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Bolt 0" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^BOT for JCE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Bot mailto\:craftbot@yahoo\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^casper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^checkprivacy" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^ChinaClaw" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^clshttp" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^cmsworldmap" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Custo" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Default Browser 0" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^diavol" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^DIIbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^DISCo" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^dotbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Download Demon" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^eCatch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EirGrabber" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EmailCollector" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EmailSiphon" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EmailWolf" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Express WebPictures" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^extract" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^ExtractorPro" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^EyeNetIE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^feedfinder" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^FHscan" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^FlashGet" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^flicky" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^g00g1e" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^GetRight" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^GetWeb\!" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Go\!Zilla" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Go\-Ahead\-Got\-It" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^grab" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^GrabNet" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Grafula" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^harvest" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^HMView" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Image Stripper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Image Sucker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^InterGET" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Internet Ninja" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^InternetSeer\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^jakarta" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Java" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^JetCar" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^JOC Web Spider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^kanagawa" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^kmccrew" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^larbin" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^LeechFTP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^libwww" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Mass Downloader" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^microsoft\.url" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^MIDown tool" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^miner" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Mister PiX" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^MSFrontPage" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Navroad" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NearSite" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Net Vampire" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NetAnts" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NetSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^NetZIP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^nutch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Octopus" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Offline Explorer" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Offline Navigator" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^PageGrabber" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Papa Foto" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^pavuk" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^pcBrowser" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^PeoplePal" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^planetwork" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^psbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^purebot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^pycurl" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^RealDownload" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^ReGet" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Rippers 0" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^sitecheck\.internetseer\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SiteSnagger" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^skygrid" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SmartDownload" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^sucker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SuperBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^SuperHTTP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Surfbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^tAkeOut" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Teleport Pro" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Toata dragostea mea pentru diavola" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^turnit" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^vikspider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^VoidEYE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Web Image Collector" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebAuto" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebBandit" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebCopier" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebFetch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebGo IS" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebLeacher" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebReaper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebSauger" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Website eXtractor" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Website Quester" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebStripper" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebWhacker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WebZIP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Widow" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WPScan" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WWW\-Mechanize" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^WWWOFFLE" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Xaldon WebSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^Zeus" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "^zmeu" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "360Spider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "CazoodleBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "discobot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "EasouSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ecxi" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "GT\:\:WWW" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "heritrix" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "HTTP\:\:Lite" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "HTTrack" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ia_archiver" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "id\-search" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "IDBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Indy Library" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "IRLbot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ISC Systems iRc Search 2\.1" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "LinksCrawler" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "LinksManager\.com_bot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "linkwalker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "lwp\-trivial" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "MFC_Tear_Sample" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Microsoft URL Control" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Missigua Locator" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "MJ12bot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "panscient\.com" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "PECL\:\:HTTP" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "PHPCrawl" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "PleaseCrawl" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "SBIder" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "SearchmetricsBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Snoopy" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Steeler" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "URI\:\:Fetch" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "urllib" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Web Sucker" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "webalta" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "WebCollage" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "Wells Search II" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "WEP Search" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "XoviBot" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "YisouSpider" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "zermelo" [NC,OR] RewriteCond %{HTTP_USER_AGENT} "ZyBorg" [NC,OR] # End Abuse Agent Blocking # Start Abuse HTTP Referrer Blocking RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?semalt\.com" [NC,OR] RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?kambasoft\.com" [NC,OR] RewriteCond %{HTTP_REFERER} "^https?://(?:[^/]+\.)?savetubevideo\.com" [NC] # End Abuse HTTP Referrer Blocking RewriteRule ^.* - [F,L] # End HackRepair.com Blacklist, http://pastebin.com/u/hackrepair # Desactivar XML-RPC - Seguridad > Ajustes > Ajustes WordPress > XML-RPC Require all denied Order allow,deny Deny from all # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema Require all denied Order allow,deny Deny from all Require all denied Order allow,deny Deny from all # Desactivar navegaci"n por directorio - Seguridad > Ajustes > Sistema de ajustes > Navegaci"n por directorio Options -Indexes RewriteEngine On # Proteger los archivos de sistema - Seguridad > Ajustes > Sistema de ajustes > Archivos de sistema RewriteRule ^wp-admin/install\.php$ - [F] RewriteRule ^wp-admin/includes/ - [F] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F] RewriteRule ^wp-includes/theme-compat/ - [F] RewriteCond %{REQUEST_FILENAME} -f RewriteRule (^|.*/)\.(git|svn)/.* - [F] # Desactivar PHP en Uploads - Seguridad > Ajustes > Ajustes del sistema > PHP en Uploads RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Desactivar PHP en los Plugins - Seguridad > Ajustes > Mejoras del sistema > PHP en Plugins RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Desactivar PHP en Temas - Seguridad > Ajustes > Mejoras del sistema > PHP en Temas RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F] # Filtrar cadenas de consulta sospechosas en la URL - Seguridad > Ajustes > Ajustes del sistema > Cadenas de consulta sospechosas RewriteCond %{QUERY_STRING} \.\.\/ [OR] RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR] RewriteCond %{QUERY_STRING} etc/passwd [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} https?: [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR] RewriteCond %{QUERY_STRING} %24&x [NC,OR] RewriteCond %{QUERY_STRING} 127\.0 [NC,OR] RewriteCond %{QUERY_STRING} (^|\W)(globals|encode|localhost|loopback)($|\W) [NC,OR] RewriteCond %{QUERY_STRING} (^|\W)(concat|insert|union|declare)($|\W) [NC,OR] RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC] RewriteCond %{QUERY_STRING} !^loggedout=true RewriteCond %{QUERY_STRING} !^action=jetpack-sso RewriteCond %{QUERY_STRING} !^action=rp RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_ RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com RewriteRule ^.* - [F] # END iThemes Security - No modifiques ni borres esta l"nea
Sorry, it's in spanish my native locale. Feel free to use it all or pick segments of interest. The most important parts are: blockage of XMLRPC and remote PHP execution of files within plugins/themes/uploads. Hope this help others to stop this and other virii. Fixes and improvements are more than welcomed. Good luck people.
Hi, Kent, Im William from Per", These apache rules are for php7, with the new version of php8 I think it does not work, I have had anonymousfox attacks in the last months, I add some points that helped: 1. Apply Kent Brockman's rules to apache 2. Disable SSH Password Authorization Tweak 3. I changed the ssh port 4. I removed ssh-shell access from all accounts It was working pretty well for a few months, but hackers again this week. In my case what they do is: 1. Change the passwords of all email accounts 2. Create accounts like anonymousxxxxx @ 3. Change passwords of all wp-admin users in wordpress 4. Change the wp-admin usernames 5. Install wp-file-manager 6. They start to inject malware 7. they also add .htaccess files to all folders, with rules to block access to the wordpress panel My question is: If I have already disabled SSH with password, what other way can they be using to connect to the server? they must have a way to execute their malicious commands. Additionally I have added to the apache rules that work in php 1-80 -
My question is: If I have already disabled SSH with password, what other way can they be using to connect to the server? they must have a way to execute their malicious commands. Additionally I have added to the apache rules that work in php 1-8
One way I found that is mentioned at the top of this page is they leave persistent PHP processes running on the server that keep hacking the server from the inside. There may be other methods. I kept looking through Apache access logs trying to find where someone had uploaded any of the malicious files and at random I moved one of the compromised site folders and saw that it was immediately hacked again. I traced those files to some running PHP processes. After killing those, the hacks didn't get put back in. On my server, the first point of entry seems to have been getting an account on Wordpress by brute force or some other password compromise. Then installing malicious plugins, I had wp-file-manager installed too. They inject malware into the Wordpress header and index files. These spawn the malicious and persistent PHP processes when someone visits the site. You have to restore the original Wordpress files to get rid of that part. I find it baffling that out of the box Linux/Apache server systems are this insecure that they allow such a wide reaching compromise to happen so easily. Especially why symlinks are enabled in public web folders by default that allow a hacker to show every system file and account after compromising a single site, this allowed them to wreck my entire server. New PHP scripts should also require authorization when doing file writes. When a developer adds a script, the first time they test a new site, they can authorize it. Hacked scripts trying to modify Wordpress sites would then get flagged immediately. Also being able to lock down folders would be helpful. I'd like to lock down every Wordpress plugins folder so if someone tries to add a plugin, they need approval and this can be flagged too.0 -
Another thing to look out for is phishing emails. One of the clients using my server contacted me this week to say they received a CPanel email about their account storage running low and it had fraudulent links to enter their CPanel login. The hackers are getting email addresses for domains and messaging the site owners. One compromise I had was from a legitimate CPanel login so one of my clients likely clicked on one of those links. I reset the compromised CPanel passwords to a random password and didn't give them to the clients but this is a really easy way to fool people into handing over logins. Enabling two factor authentication on CPanel logins would probably prevent this attack option. No matter if the passwords are reset, without two-factor enabled, hackers can just email the clients again and get the new login without the server operator knowing. 0 -
Hi, Kent, Im William from Per", These apache rules are for php7, with the new version of php8 I think it does not work, I have had anonymousfox attacks in the last months, I add some points that helped: 1. Apply Kent Brockman's rules to apache 2. Disable SSH Password Authorization Tweak 3. I changed the ssh port 4. I removed ssh-shell access from all accounts It was working pretty well for a few months, but hackers again this week. In my case what they do is: 1. Change the passwords of all email accounts 2. Create accounts like anonymousxxxxx @ 3. Change passwords of all wp-admin users in wordpress 4. Change the wp-admin usernames 5. Install wp-file-manager 6. They start to inject malware 7. they also add .htaccess files to all folders, with rules to block access to the wordpress panel My question is: If I have already disabled SSH with password, what other way can they be using to connect to the server? they must have a way to execute their malicious commands. Additionally I have added to the apache rules that work in php 1-8
That is correct. And now in 2023 I found they are uploading other vulnerable plugins, beyond "wp-file-manager", so I configured hourly cronjobs to kill them across the server, in combination with updatedb command, for which you have to install mlocate in the server: locate plugins/wp-file-manager|xargs rm -drf locate uploads/wp-file-manager-pro|xargs rm -drf locate plugins/posts-layouts|xargs rm -drf locate plugins/wp-console|xargs rm -drf locate plugins/background-image-cropper|xargs rm -drf locate plugins/custom-scripts-for-customiser|xargs rm -drf The virus is uploading php scripts to wp-admin and wp-includes too, so that it can override the php execution limitation on plugins/themes/uploads. It's uploading zip files, so that the uncompressed files keep the original last modified date in the past and can be undetected. Only Imunify is able to detect the contents, but in some cases they are uploading clean code that may not trigger the alerts. I have noticed a couple cases where the virus was able to write files in /tmp and somehow this allowed them to write backdoor files in other cPanel accounts, and edit data in other cPanel's databases to change WordPress admin passwords by the way. How come is this possible from a single cPanel account?0 -
That is correct. And now in 2023 I found they are uploading other vulnerable plugins, beyond "wp-file-manager", so I configured hourly cronjobs to kill them across the server, in combination with updatedb command, for which you have to install mlocate in the server: locate plugins/wp-file-manager|xargs rm -drf locate uploads/wp-file-manager-pro|xargs rm -drf locate plugins/posts-layouts|xargs rm -drf locate plugins/wp-console|xargs rm -drf locate plugins/background-image-cropper|xargs rm -drf locate plugins/custom-scripts-for-customiser|xargs rm -drf The virus is uploading php scripts to wp-admin and wp-includes too, so that it can override the php execution limitation on plugins/themes/uploads. It's uploading zip files, so that the uncompressed files keep the original last modified date in the past and can be undetected. Only Imunify is able to detect the contents, but in some cases they are uploading clean code that may not trigger the alerts. I have noticed a couple cases where the virus was able to write files in /tmp and somehow this allowed them to write backdoor files in other cPanel accounts, and edit data in other cPanel's databases to change WordPress admin passwords by the way. How come is this possible from a single cPanel account?
Hello, This command is not working locate plugins/wp-file-manager|xargs rm -drf locate: can not stat () `/var/lib/mlocate/mlocate.db': No such file or directory0 -
1st run updatedb and then locate should work 0 -
Hello, This command is not working locate plugins/wp-file-manager|xargs rm -drf locate: can not stat () `/var/lib/mlocate/mlocate.db': No such file or directory
Hi there. You need to install mlocate first. Then do a full disk scan in order for this to work. I prefer locate over find, it's a personal choice. To install and index files, simply run this: yum install mlocate -y && updatedb; Then, you will be able to run the abovementioned locate commands. Regards0
Please sign in to leave a comment.
Comments
28 comments