The AnonymousFox Hack guide by Sucuri misses a huge step in cleaning a hacked WordPress website, and that step is: removing the cronjobs
While removing AnonymousFox malware from a website I noticed the following cron:
It downloads a script from http://hello.hahaha666.xyz/xxxd and runs it, the script is:
This file then modifies the default .htaccess and creates a .htaccess file inside every directory. These .htaccess files can be found by using the command:
grep -r "Deny from all" *
to remove all these .htaccess files:
find -type f -name '*htaccess*' -delete
As mentioned at the beginning of the post, checking and removing cronjobs is necessary when cleaning up hacked WordPress websites, and I hope that sucuri will eventually include it in their “fix FoxAuto WordPress malware” guide.