Monit.php WordPress Malware

One of the most common malware black-hat SEO campaigns comes from an upgraded version of the WP-VCD virus, which I conducted a detailed analysis.

The Malware is contained in the monit.php file located in the wp-content/plugins/ directory.

This particular type of malware uses some of the same functionality as the wp-vcd as we can see here from it’s use of apu.php and a zone id.

Here we can see the use of the apu.php file and the malicious javascript files

http://ofgogoatan.com/apu.php?zoneid=3280383

http://propu.sh/pfe/current/tag.min.js?z=3280389

http://inpagepush.com/400/3336702

The malware is designed with the ability of any malicious actor to add in their own adware code from any of the ostensibly legitimate advertising networks, such as PropellorAds.

The malware also logs the server installation on the command and control server — in addition to requesting an update of itself.

At the time of this writing the blackhat domains domndo.com and it’s variants are offline.

/wp-content/plugins/admin_ips.txt

Removal of the malware can be done using a few simple commands

Searches for ‘monit.php’ and removes the file

find /var/www/html/ -name monit.php -exec rm -rf {} \;

The following mysql command can be used to search and remove the database entries from the WordPress wp-options table.

SELECT * FROM `wp_options` WHERE `option_name` IN ( ‘default_mont_options’, ‘ad_code’ , ‘hide_admin’, ‘hide_logged_in’ , ‘display_ad’, ‘search_engines’ , ‘auto_update’, ‘ip_admin’ , ‘cookies_admin’, ‘logged_admin’, ‘log_install’)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ian Arman

Hey I'm @ianarman, I only clap about the cool stuff on @Medium!