How To Find and Fix the monit.php “Monetization” Hack

Recently, a new type of malware called “Monitization” or monit.php has been getting a lot of attention on WordPress forums. This malware renders an unsolicited (often obscene) pop up for the site visitors. A lot of users have been seeking help to recover their websites from this hack after hackers used it to perform various Black Hat SEO attacks.

What is the monit.php hack?

Recently, it was found that a plugin called “Monitization” was behind some code injected to the back-end of a website. On examination of the plugin’s files, it was revealed that the code in the monit.php file was responsible for injecting the WordPress site’s wp_options MySQL table with spam URLs and redirects and changing some settings.

This is the malicious code that we found under the monit.php file:

<?php
/**
 * Plugin Name: Monitization
 * Description: this plugin will help you Monitize your traffic easily from different ad networks.
 * Author: Igor Glavatskiy
 * Version: 1.0
 */

error_reporting(0);
ini_set('display_errors', 0);
$plugin_key='9f3d4cbd075c63c03c06a63f4579eb13';
$version='1.2';
add_action('admin_menu', function() {
    add_options_page( 'Monitization Plugin', 'Monitization', 'manage_options', 'monit', 'mont_page' );
    remove_submenu_page( 'options-general.php', 'monit' );
});

How can you find if your site is infected?

To detect the monit.php hack, browse this URL after replacing your site’s URL accordingly: 

[your-site-URL]/wp-admin/options-general.php?page=monit

Upon loading, if you find a page with settings and text strings, you may have been attacked. To find out how to fix your website, read on. 

How can you fix this attack?

1. Take a backup of your site before cleaning.

It’s advisable to the website offline so that users don’t visit the infected pages while you’re cleaning it. Make sure to take a backup of all the core files and databases. Make sure to take the backup in a compressed file format, like .zip.

2. Replace the core, plugin, and theme files.

You can replace the infected core files with the original versions of the same from reputable sources. After downloading the fresh and updated versions of these files & directories, you can delete the older ones. Delete any files of the “Monitization” plugin.

3. Clean any suspicious, recently modified files. 

You might find potentially infected files by looking at the ones which were recently modified. You can restore these files from a clean backup you have or from a trusted source. 

4. Clean your database.

In addition to deleting all the plugin files and cleaning the malicious code injected into your site’s files, make sure to check the following option_name records in your website’s wp_options MySQL table:

• default_mont_options
• ad_code
• hide_admin
• hide_logged_in
• display_ad
• search_engines
• auto_update
• ip_admin
• cookies_admin
• logged_admin
• log_install

5. Run a malware scan.

Run a malware scan on your web server for malware and malicious files. You can use the ‘Virus Scanner’ tool in the cPanel provided by your web host, or get expert malware cleanup with the Astra Pro Plan.

How can you prevent further attacks?

The only sure-fire way to protect your website from hackers’ ever evolving methods is to invest in security. It is a great idea to invest in a website firewall, run frequent malware scans, and get regular security audits.

In fact, most people were able to find the monit.php malware because they ran malware scans which immediately flagged it and identified the source of the malicious code as the “Monitization” plugin. So make sure to scan for malware regularly!

The monit.php Hack: Conclusion

Recently, a new malicious plugin called “Monitization” was found to inject code into websites, which were then used for Black Hat SEO Hacks like the Japanese Keyword Hack and Pharma Hack.

Such cyber attacks are horrible, and so are their after-effects on your traffic, revenue, and even your reputation. So, to prevent getting attacked, it is advisable to invest in security and follow good security practices – these can go a long way!

Also Read: How to remove the WordPress Backdoor: PHP/ApiWord Malware from your WordPress website

About Astra

At Astra, we have a team of security experts who on a daily basis help website owners and developers to secure their website from attackers. Our intelligent firewall provides real-time 24×7 security against bad bots, hackers, malware, XSS, SQLi and 80+ attacks. Astra Firewall is highly customized for Prestashop, OpenCart & Magento to give all-around security to your E-commerce store.

Share this...

Facebook

Pinterest

Twitter

Linkedin