stats folders ownership change detected 3 days after upgrade

Discussion in 'General' started by mlnzigzag, Mar 22, 2017.

  1. mlnzigzag

    mlnzigzag New Member HowtoForge Supporter

    Hello, i was running ISPConfig until few days ago, when i succesfully upgraded to 3.1.2.
    I have a custom IDS, based on fileschanged binary, monitoring sensible files on the system and giving me (almost) real time warnings via mail. One two hours ago i was well in the bed, going to fall asleep, when my phone produced the unique sound i've set up for the notifications coming from IDS. I jumped off bed and read in the notification that every single .htaccess file in the stats folder of every vhost was changed in a range of 4 seconds. I run more than 40 vhosts. Those folders are owned by root in ISPConfig 3, i said to myself, i've been rooted. :(
    I'm here writing now, and i know i was not rooted.
    Nothing strange in those files:
    root@web:~# cat /var/www/clients/client1/web1/web/stats/.htaccess
    AuthType Basic
    AuthName "Members Only"
    AuthUserFile /var/www/clients/client1/web1/web/stats/.htpasswd_stats
    ISPConfig's cron did this i think.. i took a look in the log and found:
    Wed Mar 22 00:02:05 CET 2017 Warning: Truncating oversized referrer field
    Note that it is 1 second before the first file was modified.
    The weirdest thing, is that timestamp of files that according to my IDS have been modified all have the original (date time of vhost's creation) timestamp!!
    root@web:~# ls -la /var/www/clients/client1/web1/web/stats/.htaccess
    -rwxr-xr-x 1 web1 client1 126 Feb 28  2015 /var/www/clients/client1/web1/web/stats/.htaccess
    And so i found that no content, no timestamp, but ownership of the files and stat folder where modified.

    I think i understood some-but-not-every-thing. That's why i'm writing this post.

    I upgraded ISPConfig on March 19, 1:04AM GMT+1, and the following happened March 22, 0:02:05 AM GMT+1
    Why such thing happened days after the ISPConfig upgrade, and not the same day (or day after?, or during installation?)
    What actually caused the folder to be chowned?
    Why the folder was owned by root and now is owned by the same user as vhost's?
    Is this a change in ISPConfig or webalizer, or some other thing?

    Two hours after that scary beep from my phone, good night guys.
    Thanks to who will help understand exactly what happend.

Share This Page