Hi I'm moving my production server to new server and found while preparing for the move strange directories in client web root directores It looks like there is an linux install in /var/www/clients/clientN/webN/ here one finds bin/, dev/, etc/, home/, lib/, lib64/, usr/ and var/ all have files etc. this surely looks like an haced server, but strangely enough I'm unable to delete those directories using any rm or rmdir with different parameters either as root or using sudo. I would appreciate any idesa on how to clean up this mess here is an sample below, I changed permissions on dev/ chown root (was root) and chmod 777 root@host:/var/www/clients/client1/web2# rmdir -v --ignore-fail-on-non-empty usr/ rmdir: removing directory, 'usr/' rmdir: failed to remove 'usr/' root@host:/var/www/clients/client1/web2# rmdir -v --ignore-fail-on-non-empty var rmdir: removing directory, 'var' rmdir: failed to remove 'var' root@host:/var/www/clients/client1/web2# ls -al total 80 drwxr-xr-x 19 root root 4096 júl 26 17:31 . drwxr-xr-x 14 root root 4096 jan 4 11:13 .. drwxr-xr-x 2 web2 client1 4096 nóv 8 2016 backup -rwxr-xr-x 1 web2 client1 87 mar 4 2015 .bash_history drwxr-xr-x 2 root root 4096 jan 4 10:46 bin drwxr-xr-x 2 web2 client1 4096 nóv 21 2013 cgi-bin drwxrwxrwx 2 root root 4096 jan 4 08:11 dev drwxr-xr-x 6 root root 4096 des 11 22:52 etc drwxr-xr-x 2 root root 4096 jan 4 11:56 home drwxr-xr-x 4 root root 4096 nóv 29 2013 lib drwxr-xr-x 2 root root 4096 nóv 29 2013 lib64 drwxr-xr-x 2 root root 4096 jan 4 08:11 log drwx--x--- 2 web2 client1 4096 nóv 21 2013 private drwx------ 2 web2 client1 4096 nóv 8 2016 .ssh drwxr-xr-x 2 root root 4096 des 11 18:43 ssl drwxrwxrwx 2 web2 client1 4096 apr 9 2018 tmp drwxr-xr-x 6 root root 4096 nóv 29 2013 usr drwxr-xr-x 4 root root 4096 júl 26 17:31 var drwx--x--- 24 web2 client1 4096 okt 6 2017 web drwxrwx--- 3 web2 client1 4096 des 11 18:44 webdav Regards Stefan
The client has not been hacked, the directories you found are ok and belong to the website jail. So don't change it and especially dont chomod 777 as this makes the website insecure and will break the jail which means secure ssh users and also secure cronjobs will probably fail now. The reason why you can't remove the directories is that the folder /var/www/clients/client1/web2 is set to be immutable to protect these folders as removing them will break that website. You want to remove them anyway and don't care that this website keeps working, then run: chattr -i /var/www/clients/client1/web2 and then remove them. But it is highly recommended to not remove them as they are required by that site and have been added by ispconfig.
