Debian GNU/Linux 9.1 Stretch, ISPConfig 3.1.7p1 Is there any explanation how some of the files /usr directory tree changed owner and group? I checked sha256sum with files on another host where the files were owned by root:root and they were identical. That user is ssh jailed user, I initially suspected jailkit had something to do here. But those files are not the same that are in that users jail directories. I suppose I have to install a new server from scatch, and put tripwire there first thing.
Is this really the /usr system directory or is it just the /usr directory of a website (when it contains a jailed user or cronjob)? Is it possible that you or someone else with root permissions worked on the site web179 ? I won't think that it's a hack, looks more like a fatal chown error.
It is the real /usr. If all the files were web179:client90 I would believe some mistyped chown, but there seems to be no pattern to the changed files.
