Fixing the .bt hack / .default hack

I was facing the .bt hack for quite some time now and did not succeed in completely fixing it. Usually, removing the corrupted files didn’t help because the malicious code was still present in some file and kept replicating itself.

The following linux commands finally helped me to remove the malware and to better sleep at night. I hope, this will help someone else, too!

Pre requisites: You need SSH access to your webhosting.

Step 1: Identify all corrupted files that will download the .bt and .default files with the following command:

grep -Ril "_shaesx_" .

This will search recursivly all files that contain the string “_shaesx_”, which is part of the .bt hack and list the found files in the command line..

Step 2: Go through all the corrupted files and fix them. Usually, the malware code can be easily identified, because it is placed on top of the file and is quite cryptic.

Step 3: Run following command to list all malware generated files:

find -type f -name ".bt" -o -name ".default" -o -name "template-config.php" -o -name "class-wp-http-netfilter.php" | xargs ls -lh

This command lists all files by name that match “.bt”, “.default”, “.template-config.php” and “class-wp-http-netfilter.php”

If you encounter other suspicious files, just add them to the list with -o -name “your-file-name”.

Step 4: Remove the listed malware files with a slightly modification of the command above. Before doing this, make sure to check again if in the mean time the malware code from step 1 has not replicated itself (just run the command again).

find -type f -name ".bt" -o -name ".default" -o -name "template-config.php" -o -name "class-wp-http-netfilter.php" | xargs rm

This helped me to solve the problem.

If you want to know more about the .bt hack and what it does in detail, I recommend this read: https://www.getastra.com/blog/911/bt-wordpress-malware-removal/