In order to limit the impact of the exploit when looking at a solution, I have written a small plugin that checks the .htaccess file content every hour and restores the correct file if it has been modified.
<?php
/*
* Plugin Name: Fight the exploit
* Author: Fabien Quatravaux
* Version: 1.0
*/
register_activation_hook( __FILE__, 'install_fight_exploit' );
function install_fight_exploit(){
wp_schedule_event(time(), 'hourly', 'check_htaccess');
}
function retore_htaccess() {
$res = copy( dirname(__FILE__) . '/htaccess', get_home_path() . '.htaccess' );
}
add_action( 'check_htaccess', 'check_htaccess' );
function check_htaccess(){
require_once( ABSPATH . 'wp-admin/includes/file.php' );
$prod = file_get_contents( get_home_path() . '.htaccess' );
$should_be = file_get_contents( dirname(__FILE__) . '/htaccess' );
if( $prod != $should_be ) {
retore_htaccess();
$num = get_option( 'retore_htaccess_num', 0 );
$num++;
add_option( "retore_htaccess_$num", time() );
update_option( 'retore_htaccess_num', $num );
}
return ($prod == $should_be);
}
register_deactivation_hook( __FILE__, 'uninstall_fight_exploit' );
function uninstall_fight_exploit(){
wp_clear_scheduled_hook('check_htaccess');
}
As you can see, each time the .htaccess file needs to be modified, I log it into the database, along with the time. After one day and a half, I saw that during the first 24 hours after the plugin activation, .htaccess files has been modified each time the scheduled task has been run. It means that there is some automatic mechanism that put the hack back into the .htaccess file !
Then after this first 24 hours period of time, no more modifications has been done, as if the exploit has given up.