Hi, File owner on one site was changed to something like 1008 clientXX . All files on a site were affected, but other sites are ok. I have ispconfig v 3.0.5.4p9. How is it possible , that the owner of files on a website in ispconfig webserver was changed, from webXXX to 1008 , group stayed the same. It looks like an attack, but I can't find any funny log entries. Thank you and best regards.
Seems, that there is the user for the id 1008 missing in /etc/passwd or you have multiple entries for this id
Hi, more /etc/passwd |grep 1008 web409:x:1012:1008::/var/www/clients/client84/web409:/bin/false web415:x:1015:1008::/var/www/clients/client84/web415:/bin/false web386:x:1034:1008::/var/www/clients/client84/web386:/bin/false multiple entries ... it happend when the site was hacked, I want to prohibit future actions like this... so what can I do that a web user can not change permissions on a site files Thank you . Tomaz
The 1008 here is the group 1008 and not a user with that ID. A web server process can not set the user ID to an ID that differs from the web user. So either the user with ID 1008 is missing now and existed before or the file was placed there by the root user. Are you really sure that this fle was placed by a hack on this system? Maybe the file was in a tar archive that you unpacked as root on the server and you might noticed it just now, as this would explain a non existing UID.
