Support » Fixing WordPress » AnonymousFox_hux wordpress hacked

  • I have a server with lots of wordpress websites.

    I have discovered today a couple of accounts hacked and when digging deeper, have found the user_login field for the admin user in wp_users has been changed to AnonymousFox_hux on most WP databases.

    Most databases have a different wp_ prefix so I am assuming that it must be some type of WP vulnerability to mass change the same field ONLY in the WP DB and in the user table (regardless of prefix)

    Anyone experienced this and know a potential vulnerability?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

    Thread Starter SJW

    (@whitsey)

    @macmanx cleaning the hack is not a problem – I know how to do that and have done it numerous times before.
    The hack has occurred on dozens of sites – sites with Wordfence installed – therefore, this issue is bigger than just “my site was hacked”
    There is a major hole somewhere (they got through wordfence) and I want to try and identify the hole

    Thread Starter SJW

    (@whitsey)

    This appears to be a wordpress specific vulnerability.
    I have had tech support look into the server and can find no trace of any illegal access

    All wordpress sites on server have had the user_login field with ID = 1 in the wp_users table updated to – AnonymousFox_hux and the password changed.

    One site in particular that got attacked:
    1. It had Wordfence installed and running
    2. All WP software and plugins were up to date

    NOTE: I have run a full scan with wordfence and no damage or malware found on this updated, protected site.

    Moderator t-p

    (@t-p)

    This appears to be a wordpress specific vulnerability.

    To report vulnerability, please SEE https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/

    • This reply was modified 1 month, 4 weeks ago by t-p.
Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.