Title: monit.php coming back
Last modified: June 6, 2020

---

# monit.php coming back

 *  [birken](https://wordpress.org/support/users/birken/)
 * (@birken)
 * [6 years ago](https://wordpress.org/support/topic/monit-php-coming-back/)
 * Hello,
 * i have just installed your plugin and it found monit.php and it cant removit.
 * it removed some other files that seem to be connected with that malware.
    i have
   tried to clean again but no luck. _The items highlighted in red have been found
   to be re-infected. The malicious code has returned and needs to be cleaned again._
   but still dont remove.
 * any ideas?
    -  This topic was modified 6 years ago by [birken](https://wordpress.org/support/users/birken/).

Viewing 9 replies - 1 through 9 (of 9 total)

 *  Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/)
 * (@scheeeli)
 * [6 years ago](https://wordpress.org/support/topic/monit-php-coming-back/#post-12948484)
 * There is one important distinction that needs to be made before we can know how
   to proceed. You have said “can’t remove” the infection ,and the infection “comes
   back” and we need to know which one it is.
 * How long after the cleaning did you check the file?
 * Can you verify if that file was clean right after the fix was applied?
 * Can you verify if the fix failed to clean the file at all?
 * If the answer to any of these is unclean then you can send me a screenshot of
   the scan results, the fix results, the quarantine, and the stat results on that
   file (specifically the Changed and Modified timestamps on that file). Then I 
   can determine what is actually going on here.
 *  [dkcross](https://wordpress.org/support/users/dkcross/)
 * (@dkcross)
 * [5 years, 11 months ago](https://wordpress.org/support/topic/monit-php-coming-back/#post-13120761)
 * [@scheeeli](https://wordpress.org/support/users/scheeeli/) monit.php
    add this
   to my wp files.
 * <script type=”text/javascript” src=”//inpagepush.com/400/3336702″ data-cfasync
   =”false” async=”async”></script>
 * please add to you plug
 * thanks
 *  Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/)
 * (@scheeeli)
 * [5 years, 11 months ago](https://wordpress.org/support/topic/monit-php-coming-back/#post-13124752)
 * Is this script tag injected into your DB or added to a file on your server?
 * Where did you find this script?
 * I need the full context of this scrip inorder to write a definition for it. Can
   you please send me the infected file?
 *  Thread Starter [birken](https://wordpress.org/support/users/birken/)
 * (@birken)
 * [5 years, 10 months ago](https://wordpress.org/support/topic/monit-php-coming-back/#post-13212320)
 * hello Eli,
 * is the queation for me or dkcross?
 *  Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/)
 * (@scheeeli)
 * [5 years, 10 months ago](https://wordpress.org/support/topic/monit-php-coming-back/#post-13239399)
 * Hi [@birken](https://wordpress.org/support/users/birken/),
 * My latest question was for [@dkcross](https://wordpress.org/support/users/dkcross/)
   but I never got a answer from you to my prior post. Did you get your original
   issue resolved or do you need more help too?
 *  [kailashaddanki](https://wordpress.org/support/users/kailashaddanki/)
 * (@kailashaddanki)
 * [5 years, 9 months ago](https://wordpress.org/support/topic/monit-php-coming-back/#post-13282230)
 * I have found a solution for it, you require FTP/SSH access to your server.
 * **Step: 1.** Follow the first 4 steps mentioned in this [**link:**](https://www.getastra.com/blog/911/fix-monit-php-monetization-hack/)(
   Make sure to follow the first 4 steps correctly to disinfect your server & database
   of malicious code, do not delete any other files yet).
 * **Step 2.** Navigate to /wp-content/plugins/ folder and locate the following 
   two files in the folder
 * a. monit.php
    b. admin_ips.txt
 * Using a text editor remove all the contents of it and save it (Be sure to remove
   all the contents).
 * **Step 3.** _With SSH:_ enter the following commands to make monit.php and admin_ips.
   txt write protect which will prevent the malicious code from appearing again 
   even after you delete the files and database entries.
 *     ```
       chattr +i monit.php
   
       chattr +i admin_ips.txt
       ```
   
 * _With FTP client:_ Right click on monit.php, admin_ips.txt and uncheck all the
   ticks on Read, Write, Execute file permission section to make it write protect.
   This has worked well on many sites where i have been called to fix this issue.
    -  This reply was modified 5 years, 9 months ago by [kailashaddanki](https://wordpress.org/support/users/kailashaddanki/).
    -  This reply was modified 5 years, 9 months ago by [kailashaddanki](https://wordpress.org/support/users/kailashaddanki/).
 *  Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/)
 * (@scheeeli)
 * [5 years, 9 months ago](https://wordpress.org/support/topic/monit-php-coming-back/#post-13283655)
 * Hi [@kailashaddanki](https://wordpress.org/support/users/kailashaddanki/),
    While
   steps 1 and 2 are helpful when manually cleaning one specific type of threat 
   that my plugin is already removing automatically for these users it does not 
   address the issue of this topic (that this threat keeps coming back).
 * In step three you have outlined one way to prevent specific files from being 
   overwritten but it requires not only that the user be able to SSH into their 
   server but also that they are a super-user on that server, which is rare. This
   solution does not address the real issue here which is that hackers are able 
   to write to these file, and most probably any file on the site. The problem here
   suggests that there is a back-door or some other exploitable vulnerability on
   their site or server that is allowing an unauthorized user to write to their 
   filesystem. Therefore, these sites will not be safe until the root cause of this
   infection is uncovered.
 * While my plugin already has many variants of pattern of known threats that are
   commonly responsible for this hack, there are new threat and exploits discovered
   every day and I add them to my definition updates whenever they are uncovered.
 * Neither of the people who have posted their issue in this thread have replied
   to my follow-up questions so I would like to assume that they have used my plugin
   with the latest definition updates to fix the root cause of this issue and do
   not need any further help. However, I look forward to working with anyone who
   is having trouble keeping their site clean to discover the root cause so that
   I can add it to my definitions. This will help all those who come across the 
   same kind of persistent infection in the future.
 *  [sicambria](https://wordpress.org/support/users/sicambria/)
 * (@sicambria)
 * [5 years, 9 months ago](https://wordpress.org/support/topic/monit-php-coming-back/#post-13365689)
 * I had a lot of trouble with this as it kept coming back despite all the efforts
   and scans with several tools.
    I have created a cron job in cpanel as a workaround
   to detect and delete monit.php from all of your WP installations.
 * Note: Obviously this is NOT a proactive solution, so using strict security measures
   is necessary on top of this.
 * find . -type f -name “monit.php” -exec echo {} \; -exec stat {} \; -exec rm -
   f {} \; | mailx -E -s “monit.php threat deleted” YOUR_EMAIL_ADDRESS
 * [https://forraskod.blogspot.com/2020/08/monitphp-malware.html](https://forraskod.blogspot.com/2020/08/monitphp-malware.html)
 *  [chromechris](https://wordpress.org/support/users/chromechris/)
 * (@chromechris)
 * [5 years, 5 months ago](https://wordpress.org/support/topic/monit-php-coming-back/#post-13857113)
 * Following. This is a real problem to WordPress. I just recently cleaned my website,
   changed credentials, and manually and activated Wordfence Pro. The monit plugin
   came back.

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘monit.php coming back’ is closed to new replies.

 * ![](https://ps.w.org/gotmls/assets/icon-256x256.png?rev=1001824)
 * [Anti-Malware Security and Brute-Force Firewall](https://wordpress.org/plugins/gotmls/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/gotmls/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/gotmls/)
 * [Active Topics](https://wordpress.org/support/plugin/gotmls/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/gotmls/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/gotmls/reviews/)

## Tags

 * [spyware](https://wordpress.org/support/topic-tag/spyware/)

 * 9 replies
 * 6 participants
 * Last reply from: [chromechris](https://wordpress.org/support/users/chromechris/)
 * Last activity: [5 years, 5 months ago](https://wordpress.org/support/topic/monit-php-coming-back/#post-13857113)
 * Status: not resolved