WordPress: How to Deal With and Remove the .bt Malware Hack

In this post we’ll discuss another WordPress related issue and show you how you can neutralize and remove the .bt WordPress malware/hack. from your website. We’ve come across malware before, but this particular malware/hack is highly annoying and honestly, at first we could not figure out where the issue was coming from or if I even had an issue. That’s how sneaky it is.

The .bt WordPress hack can be described as malware which infects WordPress sites and lures or redirects visitors to malicious pharma websites, and possibly others.

Symptoms of the .bt Hack

The first clue that something was not right with our site was the presence of a pop-up ad.  Clue #1: We never use pop-up ads, and this would get triggered when clicking on a link or un-linked space on any blog post on the site. It also appeared that this would only happen once per day/session. So while our site does have some ads, I know that we had never added pop-ups or pop-under ads (because that would be annoying). So with that in mind, the investigation had begun.

Troubleshooting the .bt hack/malware

1.  Malware detection via AdSense

Considering that there was somehow a pop-up ad on the site, the first thing I did was go to the AdSense control panel and confirm that pop-up ads were indeed not active. Then I reviewed the Ad Settings Preview section in my AdSense account and indeed, there were a series of strange links displaying in both the Mobile and Desktop Ad Sense previews. Keep in mind that the .bt hack has nothing to do with AdSense, only that the AdSense control panel happened to help me to expose the malware and show us that something was not right.

2.  Search your site for the .bt hack and related files

Assuming here that you have access to your host via ssh as the troubleshooting that we’re doing here is all performed from the command line.

Step 2a – Search for .bt files.
The .bt hack will include at minimum a “.bt” file in the root folder of your website and possibly several others. This file will contain a long list of ip addresses.

Run the following command from the root folder of your website to find all occurrences of the .bt file. Here we see its presence in the root, css and cgi-bin folders:

user@yourwebsite.com [~]# find . -name '*.bt' -print
./public_html/yourwebsite /.bt
./public_html/yourwebsite /wp-admin/css/.bt
./public_html/yourwebsite /cgi-bin/.bt

Step 2b – Search for known .bt malware keywords:
Next, look for the keywords ‘_shaesx_‘ and ‘get_data_ya‘ in your .php files. You can run the following one-liner from your root folder which will dump the list to file ‘bt_list’ (or whatever you want to call it) which you can then inspect once it has completed:
user@yourwebsite.com [~]# grep -irl '_shaesx_\|get_data_ya' * > bt_list.txt

And while the results may vary for you, here we can see that those keywords were found in functions.php within various themes:
premig.1597079350/wp-content/themes/twentyseventeen/functions.php
premig.1597079350/wp-content/themes/twentynineteen/functions.php
premig.1597079350/wp-content/themes/twentysixteen/functions.php
premig.1597079350/wp-content/themes/twentytwenty/functions.php
premig.1597079350/wp-content/themes/sinatra/functions.php
public_html/yourwebsite/wp-content/themes/twentynineteen/functions.php
public_html/yourwebsite/wp-content/themes/awaken/functions.php
public_html/yourwebsite/wp-content/themes/twentytwenty/functions.php
www/yourwebsite/wp-content/themes/twentynineteen/functions.php
www/yourwebsite/wp-content/themes/awaken/functions.php
www/yourwebsite/wp-content/themes/twentytwenty/functions.php

How to remove the .bt Malware Hack

Note that the following solutions worked for us but your particular situation may vary. Hopefully these actionable steps will be helpful to you:

1. Delete your WordPress themes – Yes, this kind of sucks. But due to the nature of the .bt malware/hack, chances are that ALL of your themes will be affected when you check your results from Step 2b. It’s best to install and activate the Twenty Twenty theme temporarily and then delete all of your themes. After you finish the remainder of the maintenance below, you can re-install and re-activate your theme.
2. Delete the .bt files – These are the .bt files that you found when running the .find command in Step 2a in the 2nd section above. Delete all of the .bt files.
Important:  Re-run Step 2a and double and triple check that the .bt files have not returned. They should stop getting generated once you have deleted/re-installed your themes.
3. Run Steps a and b again – It may seem redundant but we want to re-run the searches to ensure that the .bt malware is no longer active. If you find that the files or hacks are indeed coming back, it may be related to a cronjob running on your server. This was not the case with us.
4. Reinstall WordPress – This can be seen as the nuclear option, but it will ensure that all core files, as well as your database, are clean. In our case, there was a new WordPress update available and waiting to be installed so that was good enough for us to get a fresh (enough) start.

WordPress Malware Prevention

1.  Change your passwords – I cannot stress this enough. Change your WordPress and hosting passwords to something that is NOT the name of your cat. Complex passwords as well as 2-Step Verification are also critical in today’s age.

2. Install a security plugin – A plugin such as Wordfence is very helpful for scanning WordPress installations for malware and will notify you of any suspicious activity. There is a premium and free version of Wordfence but even the free version has a ton of great features. Invaluable.

This post will be updated as more information comes to light.

Has your website been affected by malware or this particular hack? Let us know if this post was helpful in solving the .bt Malware issue for you.

5 thoughts on “WordPress: How to Deal With and Remove the .bt Malware Hack

  1. The problem is this that is keep coming again. in your article you mentioned small steps to delete. it go to DB as well should delete that too.
    i need your help to remove this that i don’t come again. or please tell the which is the backdoor open from where this is coming again and again

    1. If your WP database is affected and deleting and re-installing your themes (Step 1) didn’t scrub all instances of the hack, you will likely need to re-install WordPress completely (Step 4). It’s a nasty hack unfortunately so make sure you’ve got clean back ups of your content before re-installing.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.