mplugin.php admin_ips.txt monit.php prevention

When I rogue plugin is secretly installed on your site it’s usually done in one of two ways. Either someone has used brute-force or surveillance to gain access to an existing admin account and has then installed unwanted plugin as any admin might, or they have gained account (or root) access to the server through some similarly underhanded means and used this access to plant malicious code and or this rogue plugin on many sites. Given that you say “all my customer accounts sites got hacked” would suspect the latter. Someone has gain unauthorized access to your server and planted this hack on all your sites. It could be that they have cracked your Control Panel login or gotten in through an FTP account, or maybe even gained root access to the whole server. At this point you should assume that all your passwords to the server and hosting account have been compromised and change them all. Then get your hosting provider involved and have them check the server log files to make sure that nobody else has been accessing anything on the server that they shouldn’t be accessing. I know this last part is vague but it will vary from server to server and provider to provider what their protocol will be for a situation like this, unfortunately it is usually inadequate and sometime involve trying to up-sell you expensive security software or some kind of “better” hosting plan. If this is the case then you should probably consider looking for a better (more secure) hosting provider.