How to trace and clean the monit.php hack

Let’s start this tutorial with a tip, if you want to know your site has been infected by the monit.php hack add your site URL before this snippet and browse it:

/wp-admin/options-general.php?page=monit

If you see a page opening with settings and text strings then you’re most probably hacked, if not you’re probably safe. In both cases I suggest to follow the cleanup guide for the ofgogoatan.com redirect hack.

Monit.php flagged as malware

A few days ago we have been contacted by a client who was looking to clean his site from malware.

While working on his site he noticed that some random code was injected to his backend. After scanning his site using WordPress security plugins he found out that more than one files were infected by the monit.php malware.

Monit.php Malware Code Inspection

While fixing this hacked WordPress site we noticed pretty quickly that there was a weirdly named plugin called Monitization in its plugins page. When we inspected the plugin’s code we found out that it was injecting our client’s WordPress site wp_options MySQL table with spam URLs and redirects along with some other settings. Even though the code of this malware is lame overall it can be used as an example of how hackers try to take advantage of infected WP sites for promoting their Black Hat SEO campaigns.

Actually it seems that the monit.php hack is trending on WordPress security forums, you can find a lot of WP users posting topics related to it like this one here or here or here saying that their WordPress site is redirected to ofgogoatan.com.

How to Remove the Monit.php Hack

Apart from cleaning all of your WordPress site files from the malware redirect hack and deleting the monit.php file under the plugins directory, you will also need to access your database using phpMyAdmin, then browse to your wp_options database table and search for the following option_name records:

  • default_mont_options
  • ad_code
  • hide_admin
  • hide_logged_in
  • display_ad
  • search_engines
  • auto_update
  • ip_admin
  • cookies_admin
  • logged_admin
  • log_install

Finally, if you find any of those records present delete them but first make sure you have created a backup for your WordPress site first(both the site files and its MySQL Database).

The last step is to remove the admins_ip.txt file found in the plugins directory as well.

Looking for Malware Cleanup Services?

We offer critical support to all hacked WordPress site. If your own WordPress installation has been infected by the Monit hack or any other hack then you can submit a malware removal request and we’ll get back to your right away.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *