My site has been hacked as well, but its looks like the bot didnt finish it’s job, as I could still find the 404html plugin installed. I made a copy before deleting it.
I’ve read the files briefly and I could find that it takes all the info from your sever, files such as sileLock settings, or cPanel settings, and of course wp-admin, among others.
It has a file to run dos shell commands and the possibility to ‘mass deface’ or ‘mass delete’ all the site.
But as I could see, the main target is to modify the akismet plugin to create a backdoor to be able to inject adds to the site. They can make profit with a working site with their adds.
I’m still reading the files, it probably does a lot more than this.
