• Skip to main content

WP Republic!

High Profile WordPress Security Services by WP Republic!

  • Blog
  • Malware Removal
  • Fix Request
  • Security Plans
  • About us
    • FAQ
    • Contact
    • Privacy Policy
    • Terms of Service

Jun 09 2020

How to trace and clean the monit.php hack

UPDATED: 14th July 2020

Let’s start this tutorial with a tip, if you want to know your site has been infected by the monit.php hack add your site URL before this snippet and browse it:

/wp-admin/options-general.php?page=monit

If you see a page opening with settings and text strings then you’re most probably hacked, if not you’re probably safe. In both cases I suggest to follow the cleanup guide for the ofgogoatan.com redirect hack.

Monit.php flagged as malware

A few days ago we have been contacted by a client who was looking to clean his site from malware.

While working on his site he noticed that some random code was injected to his backend. After scanning his site using WordPress security plugins he found out that more than one files were infected by the monit.php malware.

Monit.php Malware Code Inspection

While fixing this hacked WordPress site we noticed pretty quickly that there was a weirdly named plugin called Monitization in its plugins page. When we inspected the plugin’s code we found out that it was injecting our client’s WordPress site wp_options MySQL table with spam URLs and redirects along with some other settings. Even though the code of this malware is lame overall it can be used as an example of how hackers try to take advantage of infected WP sites for promoting their Black Hat SEO campaigns.

Actually it seems that the monit.php hack is trending on WordPress security forums, you can find a lot of WP users posting topics related to it like this one here or here or here saying that their WordPress site is redirected to ofgogoatan.com.

How to Remove the Monit.php Hack

Apart from cleaning all of your WordPress site files from the malware redirect hack and deleting the monit.php file under the plugins directory, you will also need to access your database using phpMyAdmin, then browse to your wp_options database table and search for the following option_name records:

  • default_mont_options
  • ad_code
  • hide_admin
  • hide_logged_in
  • display_ad
  • search_engines
  • auto_update
  • ip_admin
  • cookies_admin
  • logged_admin
  • log_install

Finally, if you find any of those records present delete them but first make sure you have created a backup for your WordPress site first(both the site files and its MySQL Database).

Umar created the following MySQL select statement which you can use on your phpMyAdmin and find if there are any records injected by the Monit malware.

SELECT * FROM 'wp_options' WHERE option_name IN ( 'default_mont_options','ad_code','hide_admin','hide_logged_in','display_ad','search_engines','auto_update','ip_admin','cookies_admin','logged_admin','log_install')

The last step is to remove the admins_ip.txt file found in the plugins directory as well.

Looking for Malware Cleanup Services?

We offer critical support to all hacked WordPress site. If your own WordPress installation has been infected by the Monit hack or any other hack then you can submit a malware removal request and we’ll get back to your right away.

Written by WP Republic! · Categorized: Security · Tagged: monit php hack, ofgogoatan.com, WordPress SQL Injection

SUBSCRIBE TO OUR GOODIES LIST!

Reader Interactions

Comments

  1. David says

    June 12, 2020 at 2:38 pm

    Hey Thank you for this and for the links to the topics!

    Reply
  2. Umar says

    July 14, 2020 at 2:40 am

    This is very helpful. I am cleaning one of my client’s site with this.

    Please add this query into your post somewhere, It will help many people out there.

    Reply
  3. Umar says

    July 14, 2020 at 2:41 am

    SELECT * FROM `wp_options` WHERE option_name IN ( ‘default_mont_options’,’ad_code’,’hide_admin’,’hide_logged_in’,’display_ad’,’search_engines’,’auto_update’,’ip_admin’,’cookies_admin’,’logged_admin’,’log_install’)

    Reply
    • Bit of WP says

      July 14, 2020 at 8:44 am

      Thanks a lot, Umar!

      Reply
  4. Stephanie says

    August 1, 2020 at 12:27 am

    Thanks team, helped removed the hack from one of our website. We cleaned the files from plugin page but needed help cleaning up those database files.

    Thanks heaps

    Reply
    • Bit of WP says

      August 3, 2020 at 3:30 am

      That’s great news Stephanie!

      Reply
  5. Rumesh Bandara says

    August 10, 2020 at 2:19 pm

    Thanks a lot for this guide. I was bit lost after going through many articles without proper success. Thanks to you I could simply get rid of this annoying malware.
    And many thanks to Umar as well for the nice query.

    Reply
  6. Junior Julio says

    August 18, 2020 at 11:04 am

    Thanks, a lot!

    Reply
  7. Steve says

    August 26, 2020 at 1:12 am

    I got error:
    SELECT * FROM ‘wp_options’ WHERE option_name IN ( ‘default_mont_options’,’ad_code’,’hide_admin’,’hide_logged_in’,’display_ad’,’search_engines’,’auto_update’,’ip_admin’,’cookies_admin’,’logged_admin’,’log_install’);
    LIMIT 0, 25

    #1064 – You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ”wp_options’ WHERE option_name IN ( ‘default_mont_options’,’ad_code’,’hide_admin’ at line 1

    Reply
  8. Steve says

    August 26, 2020 at 1:34 am

    Thank, It’s working.
    After adding database name.. it’s working
    SELECT * FROM `DATABASENAME`.`wp_options`

    Reply
  9. Morph3o says

    August 26, 2020 at 11:05 am

    Good morning hello I was a victim of this Monit.php marked as malware, friends I have a problem on my website created with wordpress and woocommerce, recently after installing some add-ons I created this monit.php and following this manual to eliminate it I Some new files that were created attract a lot of attention, these files are in many folders and sub folders, they are Index.php files and inside all these files have the same code, here is the link https://mega.nz/file / M5hDgAjY # fAsmuW3blah3zctdbMA1Ige_lP694jmzCCjxSo0xBLU
    to see if you can tell me what the function of these files is and why they were created. I will be grateful for the definition of reading this file. Thank you thank you thank you…

    Reply
    • Bit of WP says

      August 26, 2020 at 6:08 pm

      Hey there! Did you try following our guide for removing the Monit malware?

      Reply
  10. lukes says

    August 27, 2020 at 9:08 am

    Mysql Query should be:
    select * from `wp_options` where (`option_name` like “%default_mont_options%” and `option_name` like “%ad_code %” and `option_name` like “%hide_admin%” and `option_name` like “%hide_logged_in%” and `option_name` like “%display_ad%” and `option_name` like “%search_engines%” and `option_name` like “%auto_update%” and `option_name` like “%ip_admin%” and `option_name` like “%cookies_admin%” and `option_name` like “%logged_admin%”)

    Reply
  11. Thomas says

    August 27, 2020 at 11:32 am

    Thanks, very helpful!!

    Reply
  12. SAGTCO says

    September 6, 2020 at 7:48 pm

    LOVE U GUYS!
    THANK U SO MUCH!!!!

    THIS WAS ON OUR WEBSITE FOR PAST 4 MONTHS! CUDNT FIND THE ISSUE

    Reply
  13. henry says

    October 29, 2020 at 3:40 pm

    The query Umar created — the single quotes around wp-options should be back ticks ( ` ) , found below the escape key

    Reply
  14. Chris says

    November 1, 2020 at 7:26 pm

    Make sure to replace the wp_options with the name of your options table in your database as it may be different, but it will contain the word “options: in it. Also, replace the ‘wp_options ‘ single quotes surrounding it with backticks instead, only for the ‘wp_options ‘ part. That should work.

    Reply
  15. Chris says

    November 1, 2020 at 7:31 pm

    Make sure to replace the wp_options with the name of your options table in your database as it may be different, but it will contain the word “options: in it. Also, replace the ‘wp_options ‘ single quotes surrounding it with backticks instead, only for the ‘wp_options ‘ part. That should work.

    Example of what worked for me:

    SELECT
    *
    FROM
    `custombnamecoptions`
    WHERE
    option_name IN(
    ‘default_mont_options’,
    ‘ad_code’,
    ‘hide_admin’,
    ‘hide_logged_in’,
    ‘display_ad’,
    ‘search_engines’,
    ‘auto_update’,
    ‘ip_admin’,
    ‘cookies_admin’,
    ‘logged_admin’,
    ‘log_install’
    )

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2025 · Security Services · WP Republic!
This website is not affiliated with or sponsored by Automattic or the WordPress Open Source project