I want to point out as well that my site didn’t have Wordfence Security plugin installed when it was hacked.
My site has been hacked as well, but its looks like the bot didnt finish it’s job, as I could still find the 404html plugin installed. I made a copy before deleting it.
I’ve read the files briefly and I could find that it takes all the info from your sever, files such as sileLock settings, or cPanel settings, and of course wp-admin, among others.
It has a file to run dos shell commands and the possibility to ‘mass deface’ or ‘mass delete’ all the site.
But as I could see, the main target is to modify the akismet plugin to create a backdoor to be able to inject adds to the site. They can make profit with a working site with their adds.
I’m still reading the files, it probably does a lot more than this.
