UPDATED: 14th July 2020
Let’s start this tutorial with a tip, if you want to know your site has been infected by the monit.php hack add your site URL before this snippet and browse it:
If you see a page opening with settings and text strings then you’re most probably hacked, if not you’re probably safe. In both cases I suggest to follow the cleanup guide for the ofgogoatan.com redirect hack.
Monit.php flagged as malware
A few days ago we have been contacted by a client who was looking to clean his site from malware.
While working on his site he noticed that some random code was injected to his backend. After scanning his site using WordPress security plugins he found out that more than one files were infected by the monit.php malware.
Monit.php Malware Code Inspection
While fixing this hacked WordPress site we noticed pretty quickly that there was a weirdly named plugin called Monitization in its plugins page. When we inspected the plugin’s code we found out that it was injecting our client’s WordPress site wp_options MySQL table with spam URLs and redirects along with some other settings. Even though the code of this malware is lame overall it can be used as an example of how hackers try to take advantage of infected WP sites for promoting their Black Hat SEO campaigns.
Actually it seems that the monit.php hack is trending on WordPress security forums, you can find a lot of WP users posting topics related to it like this one here or here or here saying that their WordPress site is redirected to ofgogoatan.com.
How to Remove the Monit.php Hack
Apart from cleaning all of your WordPress site files from the malware redirect hack and deleting the monit.php file under the plugins directory, you will also need to access your database using phpMyAdmin, then browse to your wp_options database table and search for the following option_name records:
Finally, if you find any of those records present delete them but first make sure you have created a backup for your WordPress site first(both the site files and its MySQL Database).
Umar created the following MySQL select statement which you can use on your phpMyAdmin and find if there are any records injected by the Monit malware.
SELECT * FROM 'wp_options' WHERE option_name IN ( 'default_mont_options','ad_code','hide_admin','hide_logged_in','display_ad','search_engines','auto_update','ip_admin','cookies_admin','logged_admin','log_install')
The last step is to remove the admins_ip.txt file found in the plugins directory as well.
Looking for Malware Cleanup Services?
We offer critical support to all hacked WordPress site. If your own WordPress installation has been infected by the Monit hack or any other hack then you can submit a malware removal request and we’ll get back to your right away.