Hello, i was running ISPConfig 3.0.5.4p8 until few days ago, when i succesfully upgraded to 3.1.2. I have a custom IDS, based on fileschanged binary, monitoring sensible files on the system and giving me (almost) real time warnings via mail. One two hours ago i was well in the bed, going to fall asleep, when my phone produced the unique sound i've set up for the notifications coming from IDS. I jumped off bed and read in the notification that every single .htaccess file in the stats folder of every vhost was changed in a range of 4 seconds. I run more than 40 vhosts. Those folders are owned by root in ISPConfig 3, i said to myself, i've been rooted. I'm here writing now, and i know i was not rooted. Nothing strange in those files: Code: [email protected]:~# cat /var/www/clients/client1/web1/web/stats/.htaccess AuthType Basic AuthName "Members Only" AuthUserFile /var/www/clients/client1/web1/web/stats/.htpasswd_stats ISPConfig's cron server.sh did this i think.. i took a look in the log and found: Code: Wed Mar 22 00:02:05 CET 2017 Warning: Truncating oversized referrer field Note that it is 1 second before the first file was modified. The weirdest thing, is that timestamp of files that according to my IDS have been modified all have the original (date time of vhost's creation) timestamp!! Code: [email protected]:~# ls -la /var/www/clients/client1/web1/web/stats/.htaccess -rwxr-xr-x 1 web1 client1 126 Feb 28 2015 /var/www/clients/client1/web1/web/stats/.htaccess And so i found that no content, no timestamp, but ownership of the files and stat folder where modified. I think i understood some-but-not-every-thing. That's why i'm writing this post. I upgraded ISPConfig on March 19, 1:04AM GMT+1, and the following happened March 22, 0:02:05 AM GMT+1 Why such thing happened days after the ISPConfig upgrade, and not the same day (or day after?, or during installation?) What actually caused the folder to be chowned? Why the folder was owned by root and now is owned by the same user as vhost's? Is this a change in ISPConfig or webalizer, or some other thing? Two hours after that scary beep from my phone, good night guys. Thanks to who will help understand exactly what happend.
