Hi HowtoForge Community! i have found a lot ( +800) strange files on my server. The files names are like that: /etc/.#gshadowzfpXan /etc/.#gshadowqK2cgQ and so on. Some files are relatively new, (2 days). The files are all empty and got same owner and perm. as /etc/gshadow Does someone know what that is about? Google did not help me ... Yours, Gerd
Oh sorry, i forgot to give the system infos because i thought this is so characteristic that someone might know what this is: Debian 10 (Buster) System With dovecot, apache, bind9 and ISPConfig. grep gsha /var/log/syslog or grep gsha /var/log/messages returns nothing. The system runs quite normally, it is just that i am trying to understand what causes these strange files. Yours, Gerd
1. When it is an ISPConfig server, you should post in its specifc board, instead of general linux, which may help us to help you better knowing your server build and setup. 2. No, we normally do not know more than you do. If your research / google returned with nothing concrete / specific, normally so do we. 3. In any event, you should check your access log and when did the claimed mysterious folders / files appeared in that /etc folder. Simple command like ls -lah may provide their date and time stamps.
I've not seen that yet. What I can tell you at least is that it's nothing that ISPConfig is normally doing. ISPConfig is just using regular Linux commands like useradd to add or manage Linux system users.
No no google drive or something. I found that the files are created at boot time. lsof do not show any process using the files. I keep searching and will report any findings. Yours, Gerd
It means there were processes during boot that create them. You may want to list and check what runs on boot. Edited: You might want to further research on /etc/gshadow file and its linux manual. You might also want to check the contents of that files and compare them to your system own gshadow file. Try reading this as well: https://www.thegeekdiary.com/grpck-...tries-in-the-etc-group-and-etc-gshadow-files/
Good morning, It happens to me too. Debian buster and Ispconfig latest version. Only happens when restarting the server. Did you manage to find any solution?
Hi buhler, no, unfortunately I have not found out what causes these files. I have updated the server to bullseye since then, but the files still appear with every reboot. I was very worried whether this could be a sign of compromise, but in the meantime i have calmed down (for no objective reason). It would be great if we could find out the cause, i also will start a new attempt of investigation. Yours gerd
Thanks for the feedback. I've gone through everything on my server. This is a really strange situation.
