What is ?Fox=d3wL7?

Created 17th August 2023
Updated 18th August 2023

This is the query string used by tools provided from AnonymousFox, a group that develops and sells tools for hijacking webservers.

The tool suite includes webshells, persistence tools for various CMS software [Wordpress, Drupal, Joomla] and scanners.

The presence of this query string in your logs shows that bots are scanning your domain or IP for the shell.

A much thorough writeup of the actor has been made by Sucuri.

---

References

1. Sucuri. (n.d.). AnonymousFox Hack Guide. Retrieved August 15, 2023, from https://sucuri.net/guides/anonymousfox-hack-guide/

---

Other known request paths

1. /loellobm.php?Fox=d3wL7
2. ?Fox=d3wL7
3. /bvapgiqg.php?Fox=d3wL7
4. 4pricemailer.php