Hello, recently ownersip of some of wwwroots was changed from webxx:client0 to 5058:client0, am I hacked? jab
Possible but I don't think so, I see no reason why a hacker should remove users. The more likly reason is a technical issue, e,g, a corruption of the passwd file. Check the passwd and group file with the pwck and grpck commands (make a backup of /etc/passwd, /etc/shadow, /etc/group and /etc/gshadow file first.
I will do that. By the way, yesterday I erased web57 and this hapened with my passwd files: in /etc directory I have two passwd -rw-r--r-- 1 root root 4948 Feb 14 10:15 passwd -rw------- 1 root root 5009 Feb 13 17:47 passwd- The difference between them is: passwd 90 web56:x:5057:5005::/var/www/clients/client0/web56:/bin/false 91 web58:x:5059:5005::/var/www/clients/client0/web58:/bin/false passwd- 90 web56:x:5057:5005::/var/www/clients/client0/web56:/bin/false 91 web57:x:5058:5005::/var/www/clients/client0/web57:/bin/false 92 web58:x:5059:5005::/var/www/clients/client0/web58:/bin/false ----------------------- -rw-r--r-- 1 root root 1145 Feb 14 10:15 group -rw------- 1 root root 1150 Feb 13 18:07 group- differ in line 58 group 57 getmail:x:5001: 58 sshusers:x:5002:web2,web3,web4,web5,web6,web7,web8,web9,web10,web11,web12,we b13,web14,web15,web16,web17,web18,web19,web20,web21,web22,web23,web24,web25, web26,web27,web28,web29,web30,web31,web32,web33,web34,web35,web36,web37,web3 8,web39,web40,web41,web42,web43,web44,web45,web46,web48,web49,web50,web51,we b52,web53,web54,web55,web56,web58 59 ispapps:x:5003:www-data 60 ispconfig:x:5004:www-data 61 client0:x:5005:www-data 62 fuse:x:117: group- 57 getmail:x:5001: 58 sshusers:x:5002:web2,web3,web4,web5,web6,web7,web8,web9,web10,web11,web12,we b13,web14,web15,web16,web17,web18,web19,web20,web21,web22,web23,web24,web25, web26,web27,web28,web29,web30,web31,web32,web33,web34,web35,web36,web37,web3 8,web39,web40,web41,web42,web43,web44,web45,web46,web48,web49,web50,web51,we b52,web53,web54,web55,web56,web57,web58 59 ispapps:x:5003:www-data 60 ispconfig:x:5004:www-data 61 client0:x:5005:www-data 62 fuse:x:117:
root@faster7:/etc# pwck -r passwd user 'lp': directory '/var/spool/lpd' does not exist user 'news': directory '/var/spool/news' does not exist user 'uucp': directory '/var/spool/uucp' does not exist user 'list': directory '/var/list' does not exist user 'irc': directory '/var/run/ircd' does not exist user 'gnats': directory '/var/lib/gnats' does not exist user 'nobody': directory '/nonexistent' does not exist user 'statd': directory '/var/lib/nfs' does not exist user 'ntp': directory '/home/ntp' does not exist user 'mysql': directory '/nonexistent' does not exist user 'dovenull': directory '/nonexistent' does not exist pwck: no changes root@faster7:/etc# pwck -r passwd- user 'lp': directory '/var/spool/lpd' does not exist user 'news': directory '/var/spool/news' does not exist user 'uucp': directory '/var/spool/uucp' does not exist user 'list': directory '/var/list' does not exist user 'irc': directory '/var/run/ircd' does not exist user 'gnats': directory '/var/lib/gnats' does not exist user 'nobody': directory '/nonexistent' does not exist user 'statd': directory '/var/lib/nfs' does not exist user 'ntp': directory '/home/ntp' does not exist user 'mysql': directory '/nonexistent' does not exist user 'dovenull': directory '/nonexistent' does not exist user 'web57': directory '/var/www/clients/client0/web57' does not exist pwck: no changes root@faster7:/etc# pwck -q passwd root@faster7:/etc# pwck -s passwd
