.bt hack keeps coming back [closed]

Question

One of the websites I am managing has been infected by some sort of adware which seems to be the .bt Hack as I found out after some googling.
I have two themes (OceanWP is being used, Hello Elementor is also installed) installed and for each theme, the functions.php file is modified by prepending some code. Also, a file called template-config.php is created in every theme directory. It also creates the files wp-admin/.bt and wp-admin/css/.bt which contain IPs.

I found out about this because a popup is inserted into every page before the doctype:

<script>
var popunder = {expire: 6,url: "https://take-yourprizeshere1.life/?u=mr1kd0x&o=f5pp7z3&t=p"};
</script>
<script src="popunder.js"></script>

After removing all the added files and cleaning up the modified ones, everything seems fine again but after some time the changes always come back (at least once a day). I already changed the passwords and installed WordFence security to monitor the situation and to assist in the clean up.

Code inserted into functions.php: https://pastebin.com/MsR28DFS

Code inside of template-config.php: https://pastebin.com/SUqaqL5K

The following plugins are active: Polylang Elementor Connector, Duplicator, Easy HTTPS (SSL) Redirection, Elementor, Ocean Extra, Polylang, SiteOrigin CSS, Tuxedo Big File Uploads, UpdraftPlus, Wordfence Security

All the plugins and the WordPress version are up to date and are updated regularly.

Does anyone have an idea how to proceed? How do I get rid of this completely?

0
HansMu158 2 months 0 Answers 14 views 0

Leave an answer