Monit.php WordPress Malware

Ian Arman
2 min readJul 22, 2020

One of the most common malware black-hat SEO campaigns comes from an upgraded version of the WP-VCD virus, which I conducted a detailed analysis.

The Malware is contained in the monit.php file located in the wp-content/plugins/ directory.

This particular type of malware uses some of the same functionality as the wp-vcd as we can see here from it’s use of apu.php and a zone id.

Here we can see the use of the apu.php file and the malicious javascript files

The malware is designed with the ability of any malicious actor to add in their own adware code from any of the ostensibly legitimate advertising networks, such as PropellorAds.

The malware also logs the server installation on the command and control server — in addition to requesting an update of itself.

At the time of this writing the blackhat domains and it’s variants are offline.


Removal of the malware can be done using a few simple commands

Searches for ‘monit.php’ and removes the file

find /var/www/html/ -name monit.php -exec rm -rf {} \;

The following mysql command can be used to search and remove the database entries from the WordPress wp-options table.

SELECT * FROM `wp_options` WHERE `option_name` IN ( ‘default_mont_options’, ‘ad_code’ , ‘hide_admin’, ‘hide_logged_in’ , ‘display_ad’, ‘search_engines’ , ‘auto_update’, ‘ip_admin’ , ‘cookies_admin’, ‘logged_admin’, ‘log_install’)



Ian Arman

Hey I'm @ianarman, I only clap about the cool stuff on @Medium!