My client had his wordpress site attacked, his site is not a juici target, the attack consisted in redirecting the site to another site.
That in itself is no surprise, the weird thing is that both the SSH (For context, the site is on a vps on dreamhost, so no root access.) and FTP passwords have been changed. AFAIK this cant be done, even with arbitrary code execution if both of these are true.
- code is run under a non root user and current password is not known.
- no root access.
My hipothesis is that the attacker got into my client’s dreamhost account (because I verified he used a known password and email combination) and used dreamhost’s panel to change the ssh user’s password, but it’s weird that the attacker did not change dreamhost’s account password itself, he just changed the ssh user password and the ftp password.
Also the .bash-history shows no commands other than the 2 silly commands that made the site redirect somewhere else (that makes me think it was a bot, no
ls, no exploration, nothing, just a
wp options command used a single time to redirect the site).
I’m trying to asses if any other vectors could do this.
I have not found any evidence of file tampering, the password for the wordpress site itself was not changed, I checked all the files that have been modified the week before the attack, nothing looks out of place, since .bash-history was not cleaned it seems that the attacker was not worried about cleaning his tracks.
Could some arbitrary php or bash code under permissions 755, property of a non-root user, change that account’s password without knowing the password previously? please suggest possible vectors.
As far as I know any command capable of changing the user’s password will always ask for the current password.
root’s password is an unlikely vector, since is not even known to us,dreamhost does not provide it.
Also no linux user passwords in plain text exist in the source at the home directory of the user or below, or anywhere else as far as I know.