Question and Tips about "anonymousfox"
Hello, I hope I'm not breaking any rule or creating a duplicated topic but I wanted to ask for tips to prevent situations like these.
To go straight to the point, somehow the login page for my website redirected to a scam site cloning "Amazon Prime" interface.
We found out these two ftp accounts:
anonymousfox-l8dc5@....
AND
smtpfox-rbxa9@...
plus some files, like a folder called "sss".
those things appeared all of a sudden and we don't know how.
Our webpage is quite small, one person is using it.
I would like to know how did it happen and some tips to increase the security and (of course) avoiding situations like this, I hope the information I provided is enough. Thanks in advance!
-
I've seen this mentioned before, are you using WordPress ?? 0 -
I remember that at first we used the "Site Publisher" tool from CPanel to check if our domain was working, but then we put our own website's files and folders (We use CodeIgniter Framework). Tho we didn't delete those files created by the Site Publisher. I don't know if that tool uses WordPress or such. Thank you for your comment! 0 -
This kind of activity can be achieved by a compromised password, script or plugin used on the site. It isn't just Wordpress related. I would strongly suggest you not only enlist the services of a qualified system administrator to audit your installations and security but you must identify the point of entry or the issue will continue to occur. If you don't have a system administrator you might find one here: System Administration Services 0 -
I remember that at first we used the "Site Publisher" tool from CPanel to check if our domain was working, but then we put our own website's files and folders (We use CodeIgniter Framework). Tho we didn't delete those files created by the Site Publisher. I don't know if that tool uses WordPress or such. Thank you for your comment!
Hi Lacuna, Did you get any answers that could help us. We are in the same situation? Best regards, Joel0 -
Hello, we have similar problem, but at whole WHM dedicated server. At many user accounts new email account "anonymusfox-xxxx@domain.com" showed up. We managed to intercept cpanel password change notification mails to this adress. We disabled ability for users to reset passwords right after. Somehow attacker still manages to change user passwords. We run cloudlinux7 and cpanel 90. Seems also, attacker managet to route user cpanel notifications to this emails, and not the ones that are registered within each user's account. Any suggestions? 0 -
Hi there. I now found how they do it. They take advantage of vulnerable WordPress and Prestashop plugins to upload a tool capable of editing accounts. Then they simply edit the email address in /.contactemail file. Then reset cpanel password using the new email, and then they obtain access to cPanel. THE PROBlEM IS THE WAY CPANEL STORE THE CONTACT EMAIL DATA WITHIN THAT FILE. It shouldn't be stored in plain text. cPanel needs to improve this. Name it using readonly permissions, or cipher the content of the file. 0 -
Hi there. I now found how they do it. They take advantage of vulnerable WordPress and Prestashop plugins to upload a tool capable of editing accounts. Then they simply edit the email address in /.contactemail file. Then reset cpanel password using the new email, and then they obtain access to cPanel. THE PROBlEM IS THE WAY CPANEL STORE THE CONTACT EMAIL DATA WITHIN THAT FILE. It shouldn't be stored in plain text. cPanel needs to improve this. Name it using readonly permissions, or cipher the content of the file.
I have had this issue twice this week. I have mitigated it by disabling password reset in whm.0 -
From my own digging last week, I came to a similar conclusion, and I changed the permissions on that file to hopefully add stronger protection. CPanel needs to add their own stronger protections from cases like this. In my case, I found that file had been modified with a bogus guerrillamail account. The plugin that was compromised on my site was 0 -
From my own digging last week, I came to a similar conclusion, and I changed the permissions on that file to hopefully add stronger protection. CPanel needs to add their own stronger protections from cases like this. In my case, I found that file had been modified with a bogus guerrillamail account. The plugin that was compromised on my site was
0 -
I am going to point out that the cause of this issue and the primary problem here is that old, outdated, vulnerable scripts are being exploited on your server. cPanel has no control over the content you allow on your server. When you retain these kinds of vulnerable items you put the account at risk in a number of ways. This is far larger than .contactemail and the responsibility lies on you or your system administrator to maintain security on the server. I will note that there has been a case open for .contactemail changes for some time, as a result of this kind of behavior but there are no updates to this case and it is not resolved nor do I have an estimate on when it will be. 0 -
That's a fair reply -- the only thing I would add, is that web admins would typically consider the attack surface to be the site they manage, inside the site root. It was eyeopening to me to see a vector like this being used and exploited. Normally a hacker would go for the easiest option -- if this is .contactemail (and the evidence suggests that it's clearly a popular target) then perhaps there's a case to expedite an improvement in this area. 0 -
What?!? You mean as an end-user I have to keep my scripts and plugins up to date? Geez Louise! That's too much work. Why can't I just install WordPress and my elventy billion plugins and ride off into the sunset? Why does this have to be my responsibility? /s 0 -
That's a fair reply -- the only thing I would add, is that web admins would typically consider the attack surface to be the site they manage, inside the site root. It was eyeopening to me to see a vector like this being used and exploited. Normally a hacker would go for the easiest option -- if this is .contactemail (and the evidence suggests that it's clearly a popular target) then perhaps there's a case to expedite an improvement in this area.
While I don't disagree that potentially exploitable outlets should be managed if possible, the same can be said for vulnerabilities that take advantage of mail or forwarders, and code injections. Once you allow access to an attacker, even though not on purpose you leave yourself vulnerable to a plethora of different means of attack. If you're maintaining the security of the scripts applications and plugins on your server you vastly and almost completely eliminate the chances of something of this nature occurring.0 -
While I don't disagree that potentially exploitable outlets should be managed if possible, the same can be said for vulnerabilities that take advantage of mail or forwarders, and code injections. Once you allow access to an attacker, even though not on purpose you leave yourself vulnerable to a plethora of different means of attack. If you're maintaining the security of the scripts applications and plugins on your server you vastly and almost completely eliminate the chances of something of this nature occurring.
Yes. And nope. I know you are very busy and yes, you are doing a decent work. But now that you are aware that such an specific and simplistic way to take ownership of an account is being widely exploited, you (CPANEL) should do something. We do our best to keep things working and assured, but if a plain text file can be so easily exploitable, you should do something guys. AT THE VERY LEAST, make the "Reset Password" option disabled by default on Tweak Settings, so that future installs won't suffer the same (unrecognized) vulnerability. And of course, make clear in the description, that "if you enable this and a vulnerable script allows upload of malware, this option may be used to gain access to such an account".0 -
Yea, but where are you going to draw the line at? If your WordPress (or whatever CMS or script) gets exploited... then guess what? ... your email passwords shadow file is writeable by that user, all they have to do is modify the hash on one of the accounts... and voila! instant account to spam with. The common denominator is... your WordPress or whatever script being exploited. That's where the action's got to stop. You can put bandaid solutions up all over the place, but until people realize that they have to keep their script up to date, and they have to limit themselves to reputable plugins and keep those updated. There's just only so much that an administrator or an administrative tool can do stop this. We still have people using "password" as their WordPress password because they don't think anything bad is going to happen to their account. How is a server administrator suppose to guard against that? How is cPanel suppose to guard against that? And what if they're not using WordPress, what if they're using Billy Bob's Content Management Script, is cPanel suppose to guard against that? People have got to start waking up to some responsibility for what they are or are not doing. 0 -
Sarcastic comments are unhelpful. No one is saying the users don't have a responsibility, or that they need to do better; they do, and I agree. We all know that the strengths of Wordpress can also be its weaknesses. We all need to do our best, and cPanel is being called on to help in this fight. I do not considering hardening applications to be 'bandaid' solutions. I'm not asking cPanel to patch wordpress bugs or to take responsibility for poorly coded plugins - I'm specifically saying that if cPanel is going to offer integration to help users, they need to be careful that they are not adding additional blind spots or vulnerabilities that the average wordpress user isn't informed about. 0 -
I know that @sparek-3. I'm tired of saying all of that to the people since almost 10 years ago, and both developers and designers don't give a f***. I can and I actually do, obviously, suspend compromised accounts. All the time. And as the number of vulnerable plugins raise, the number of accounts to suspend do it as well. It's a non-stop problem. In fact, it's more like a snowball, cause majority of developers and designers create subdomains to host dev versions for their clients and sometimes all of those sites got infected. You cannot patch the user's mind. I'm a sysadmin, not an evangelist or a psychologist :-) . It has to be anything else to do in order to prevent scripts from writing outside of public_html space or, in fact, outside of the whatever folder the (sub)domain is assigned to work in. Everything outside public_html should be read only for the scripts the users upload. No way to do that? 0 -
Everything outside public_html should be read only for the scripts the users upload. No way to do that?
Really, even that wouldn't resolve the issue here, as the script that's added isn't done so outside of the public_html it's executing from within the public_html and modifying something outside the public_html which is a perfectly normal activity for a script to do in most cases. There is no privilege escalation that takes place here, it's all contained within the user's own account.0 -
Really, even that wouldn't resolve the issue here, as the script that's added isn't done so outside of the public_html it's executing from within the public_html and modifying something outside the public_html which is a perfectly normal activity for a script to do in most cases. There is no privilege escalation that takes place here, it's all contained within the user's own account.
I know. I know. Sorry for the desperate answer. What actually worked now to stop the spread on vulnerable sites was disabling the ability to reset cPanel passwords in Tweak Settings.0 -
Don't get me wrong either, I get it. I get your frustration as well as the user's. Password Reset capability being disabled may help for this specific issue but there are other issues it won't help with, it definitely won't keep the account secure from being attacked if it still has vulnerabilities. One suggestion might be to ensure you're scanning regularly for known malware signatures 0 -
Hi - I'm dealing with "anonymousfox" and trying to figure out how to clean up the cpanel account. So far I have: * renamed the site folder so it's not publicly accessible right now * contacted my host who ran a malware scan, cleaned up some stuff (not sure exactly what), and reset my cpanel password * gone through all the files in publichtml, compared them with an earlier backup, and replaced or deleted files where there were differences * deleted any email accounts + accounts in the "user manager" section that are no longer in use * reset all user passwords Poking through the home directory now, I see a suspicious file in the "etc" folder called "shadow" with 2 lines. The first line starts with "anonymousfox" and the second line starts with "smtpfox." So, that seems bad... When I search for info on what to do with this "shadow" file though, I get the impression that it shouldn't be removed or messed with. But just leaving it also seems bad, so I'm not sure what to do. Any advice would be appreciated. 0 -
Also, - check for unexpected subdomains (including wildcard subdomains) or any other user/remote access accounts
- check the currently listed cpanel and wordpress recovery email addresses
0 -
Thank you. If I remove lines from the shadow file related to accounts that aren't my own, the file will be completely empty - not sure if that's okay (or if I should just delete the file completely)? 0 -
Thank you. If I remove lines from the shadow file related to accounts that aren't my own, the file will be completely empty - not sure if that's okay (or if I should just delete the file completely)?
Empty is ok -- I don't recommend removing the file though.0 -
I just got hit with my cpanel account being compromised by someone editing the .contactemail and .contactinfo files and resetting my password Not sure if it is related to the wp file manager plugin, while it was installed, it was up to date and disabled. This has however made me realise how easy it is to gain access to someone's cpanel account in general, this issue is not specific to this plugin or vulnerability. Anyone who has FTP access to use this hack Anyone who has admin access to any website and the ability to install plugins can use this hack I regularly work on WordPress sites for clients. So all I would need to do is install any plugin that allows me to edit files, and I can then change their cpanel email address and reset the password. These files need to have their permissions set so that only cpanel itself can edit them or they need to be encrypted so they cannot be edited. 0 -
It happened with me also even there is no WordPress in the account... I figured that it happened through the eval-stdin vulnerability in PHPUnit in the vendor folder! so I added .htacess with [CODE=apacheconf]Require all denied
and I figured that email is not appeared changed in WHM or cPanel but it had been changed in the .contactemail file I just resaved my contact information in cPanel and .contactemail has updated and then clean the content of shadow file in etc folder, reset all the passwords, remove the two email accounts that malware created, and make a scan with imunify360 (found 7 uploaded malware files to PHPUnit folder) hope this will help anyone searching for anonymousfox because this is the first result I had got on Google0 -
after a year later, I have same problem... And my "Reset Password" option was also disabled before i got this problem. I have many accounts in my server and everyday another one creates 4 different emails and send spams... all same 4 emails which begings with ''smtpfox-...@domain.com'' (see the attchements) I am tired of deleting these email accounts. PS: I noticed that these accounts which have this problem are generally wordpress websites And i am really shocked there is no certain way to solve this problem. Cpanel says take a paid system administrator, some says disable reset password... but there is not a certain way to prevent this problem. 0 -
@Ucyirmiiki - have you confirmed the IPs that are creating the email accounts are indeed using the anonymous fox issue? 0 -
@Ucyirmiiki - have you confirmed the IPs that are creating the email accounts are indeed using the anonymous fox issue?
how can find the IPs of creators?0 -
For that you would need to check the server access log at /usr/local/cpanel/logs/access_log. I would recommend doing the following to make that search easier: -run "tail -f /usr/local/cpanel/logs/access_log" to watch the log in real-time -log in to cPanel and create an email account This will allow you to see what that email creation process looks like on your server, so you'll know exactly what to search for in the log. 0
Please sign in to leave a comment.
Comments
30 comments