One of the most common malware black-hat SEO campaigns comes from an upgraded version of the WP-VCD virus, which I conducted a detailed analysis.
The Malware is contained in the monit.php file located in the wp-content/plugins/ directory.
This particular type of malware uses some of the same functionality as the wp-vcd as we can see here from it’s use of apu.php and a zone id.
Here we can see the use of the apu.php file and the malicious javascript files
http://ofgogoatan.com/apu.php?zoneid=3280383
http://propu.sh/pfe/current/tag.min.js?z=3280389
http://inpagepush.com/400/3336702
The malware is designed with the ability of any malicious actor to add in their own adware code from any of the ostensibly legitimate advertising networks, such as PropellorAds.
The malware also logs the server installation on the command and control server — in addition to requesting an update of itself.
At the time of this writing the blackhat domains domndo.com and it’s variants are offline.
/wp-content/plugins/admin_ips.txt
Removal of the malware can be done using a few simple commands
Searches for ‘monit.php’ and removes the file
find /var/www/html/ -name monit.php -exec rm -rf {} \;
The following mysql command can be used to search and remove the database entries from the WordPress wp-options table.
SELECT * FROM `wp_options` WHERE `option_name` IN ( ‘default_mont_options’, ‘ad_code’ , ‘hide_admin’, ‘hide_logged_in’ , ‘display_ad’, ‘search_engines’ , ‘auto_update’, ‘ip_admin’ , ‘cookies_admin’, ‘logged_admin’, ‘log_install’)