How to find where the WSO of the anonymousfox virus has settled on a WordPress site?

B

bjiag02021-10-09 12:20:32

Malware

bjiag0, 2021-10-09 12:20:32

At the end of September, I learned about the virus from a letter generated by Google Console.
I downloaded all the contents of the site to the computer from the server. I installed the WordFence plugin, it found "infected" files on the server for me, they were from August. I deleted them from the server, ran the scan again, only 1 threat was found, it was the index.php file in the root. Deleted it, but at the same moment it reappeared. And no matter how much I deleted, the file still appeared, while I did not sit either in the admin panel or on the site. Naturally, I updated the password for the admin panel and ftp.

The index.php itself has a viral code in addition to the regular code.

It wasn't hard to find out that this is FoxAutoV5 [The best tool] and googling gives a link to the presentation of this WSO Shell: pcx3.com/linux/wso-2-6-shell

In the local copy, after deleting the "infected" files, I look for lines with some base64 and even something that can create a file like php code: fwrite (fopen but I don’t find abnormal (I compare the found file with the original WP).

I look at the logs from the server , there are requests like

136.144.41.12 - - [07/Oct/2021:12:29:02 +0300] "GET /index.php?3x=3x HTTP/1.0" 301 - "anonymousfox.co" "Mozilla/5.0 ( Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
136.144.41.12 - - [07/Oct/2021:12:31:54 +0300] "GET /wp -includes/fonts/css.php HTTP/1.0" 403 39475 "anonymousfox.co" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"

Lots of this kind:

37.0.10.159 - - [07/Oct/2021:06:09:01 +0300] "GET /wp-admin/css/colors/sunrise/%20 HTTP/1.0" 301 - "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
37.0.10.159 - - [07/Oct/2021:06:09:35 +0300] "GET / wp-includes/ HTTP/1.0" 403 39475 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"

Lots and 404x on the same domains.

I reinstalled the regular WP files from the admin panel, removed my theme and installed it from the official directory.
Where to look for what creates index.php or rather, where did the shell settle?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

Dmitry, 2021-10-11
@pro100taa

Did n't this thread get an answer?

C

celkolomidze, 2022-01-29
@celkolomidze

Sorry for the formatting. I'm looking for options to publish a post that would skip all the words.
Faced the same problem. Found the SH file in the /wp-admin/js/widgets/ directory.
I've already spent three days trying to find the virus. I even found file managers incomprehensibly when loaded. but it didn't help. Regarding your question about the appearance of a deleted file - it's not difficult to find what executes it.
https:// prnt.sc / 26lgn6w - here's a replacement for your hta ccess and index file.
As for the SH file, I just discovered it (I searched for the word hta ccess). A little later I will unsubscribe whether its removal helped to get rid of the virus. And by the way, it's not just the WP virus. On Bitrix on one of the sites the exact same song.