Title: Fixing the .bt hack / .default hack
Last modified: September 14, 2022

---

# Fixing the .bt hack / .default hack

 *  [ronhard](https://wordpress.org/support/users/ronhard/)
 * (@ronhard)
 * [3 years, 8 months ago](https://wordpress.org/support/topic/fixing-the-bt-hack-default-hack/)
 * I was facing the .bt hack for quite some time now and did not succeed in completely
   fixing it. Usually, removing the corrupted files didn’t help because the malicious
   code was still present in some file and kept replicating itself.
 * The following linux commands finally helped me to remove the malware and to better
   sleep at night. I hope, this will help someone else, too!
 * Pre requisites: You need SSH access to your webhosting.
 * **Step 1:** Identify all corrupted files that will download the .bt and .default
   files with the following command:
 * `grep -Ril "_shaesx_" .`
 * This will search recursivly all files that contain the string “_shaesx_”, which
   is part of the .bt hack and list the found files in the command line..
 * **Step 2:** Go through all the corrupted files and fix them. Usually, the malware
   code can be easily identified, because it is placed on top of the file and is
   quite cryptic.
 * **Step 3:** Run following command to list all malware generated files:
 *     ```
       find -type f -name ".bt" -o -name ".default" -o -name "template-config.php" -o -name "class-wp-http-netfilter.php" | xargs ls -lh
       ```
   
 * This command lists all files by name that match “.bt”, “.default”, “.template-
   config.php” and “class-wp-http-netfilter.php”
 * If you encounter other suspicious files, just add them to the list with -o -name“
   your-file-name”.
 * **Step 4:** Remove the listed malware files with a slightly modification of the
   command above. Before doing this, make sure to check again if in the mean time
   the malware code from step 1 has not replicated itself (just run the command 
   again).
 *     ```
       find -type f -name ".bt" -o -name ".default" -o -name "template-config.php" -o -name "class-wp-http-netfilter.php" | xargs rm
       ```
   
 * This helped me to solve the problem.
 * If you want to know more about the .bt hack and what it does in detail, I recommend
   this read: [https://www.getastra.com/blog/911/bt-wordpress-malware-removal/](https://www.getastra.com/blog/911/bt-wordpress-malware-removal/)

Viewing 1 replies (of 1 total)

 *  [greggorymark](https://wordpress.org/support/users/greggorymark/)
 * (@greggorymark)
 * [3 years, 6 months ago](https://wordpress.org/support/topic/fixing-the-bt-hack-default-hack/#post-16245397)
 * THANK YOU!

Viewing 1 replies (of 1 total)

The topic ‘Fixing the .bt hack / .default hack’ is closed to new replies.

## Tags

 * [bt](https://wordpress.org/support/topic-tag/bt/)
 * [default](https://wordpress.org/support/topic-tag/default/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 1 reply
 * 2 participants
 * Last reply from: [greggorymark](https://wordpress.org/support/users/greggorymark/)
 * Last activity: [3 years, 6 months ago](https://wordpress.org/support/topic/fixing-the-bt-hack-default-hack/#post-16245397)
 * Status: not a support question

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics