.BT Hack keeps coming back

  • Resolved hansmu158

    (@hansmu158)


    4 years ago

    One of the websites I am managing has been infected by some sort of adware which seems to be the .bt Hack as I found out after some googling. I already followed the WordPress “My Site got hacked” guide.

    I have two themes (OceanWP is being used, Hello Elementor is also installed) installed and for each theme, the functions.php file is modified by prepending some code. Also, a file called template-config.php is created in every theme directory. It also creates the files wp-admin/.bt and wp-admin/css/.bt which contain IPs.

    I found out about this because a popup is inserted into every page before the doctype:

    
<script>
var popunder = {expire: 6,url: "https://take-yourprizeshere1.life/?u=mr1kd0x&o=f5pp7z3&t=p"};
</script>
<script src="popunder.js"></script>

    After removing all the added files and cleaning up the modified ones, everything seems fine again but after some time the changes always come back (at least once a day). I already changed the passwords and installed WordFence security to monitor the situation and to assist in the clean up.

    Code inserted into functions.php: https://pastebin.com/MsR28DFS

    Code inside of template-config.php: https://pastebin.com/SUqaqL5K

    The following plugins are active: Polylang Elementor Connector, Duplicator, Easy HTTPS (SSL) Redirection, Elementor, Ocean Extra, Polylang, SiteOrigin CSS, Tuxedo Big File Uploads, UpdraftPlus, Wordfence Security

    All the plugins and the WordPress version are up to date and are updated regularly.

    Does anyone have an idea how to proceed? How do I get rid of this completely?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Yobani

    (@yobani)

    Hello,

    My best suggestion would be to either contact a hack repair service immediately or restore from a backup.

    I would also suggest asking the malware removal service how the breach happened; they may have some additional recommendations based on the underlying cause.

    Best of luck!

    nandhugp

    (@nandhugp)

    Is there anyway I can contact you. I have the same problem. I installed a malware scanner and I found a malicious file inside a plugin. I deleted the plugin and it was fixed. Now it came back again.

    Thread Starter hansmu158

    (@hansmu158)

    A quick update: I restored from a backup which I luckily had and everything is fine again. I am still curious how the malicious code injected itself but as I could not find a solution, restoring from an older backup seemed like the safest way to go.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘.BT Hack keeps coming back’ is closed to new replies.