Apache owner changed

Discussion in 'ISPConfig 3 Priority Support' started by 3arh, Jan 27, 2017.

  1. 3arh

    3arh New Member HowtoForge Supporter

    Hi,

    File owner on one site was changed to something like 1008 clientXX . All files on a site were affected, but other sites are ok. I have ispconfig v 3.0.5.4p9.
    How is it possible , that the owner of files on a website in ispconfig webserver was changed, from webXXX to 1008 , group stayed the same.
    It looks like an attack, but I can't find any funny log entries.

    Thank you and best regards.
     
  2. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Seems, that there is the user for the id 1008 missing in /etc/passwd or you have multiple entries for this id
     
  3. 3arh

    3arh New Member HowtoForge Supporter

    Hi,
    more /etc/passwd |grep 1008
    web409:x:1012:1008::/var/www/clients/client84/web409:/bin/false
    web415:x:1015:1008::/var/www/clients/client84/web415:/bin/false
    web386:x:1034:1008::/var/www/clients/client84/web386:/bin/false
    multiple entries ...
    it happend when the site was hacked, I want to prohibit future actions like this... so what can I do that a web user can not change permissions on a site files

    Thank you .

    Tomaz
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The 1008 here is the group 1008 and not a user with that ID.

    A web server process can not set the user ID to an ID that differs from the web user. So either the user with ID 1008 is missing now and existed before or the file was placed there by the root user. Are you really sure that this fle was placed by a hack on this system? Maybe the file was in a tar archive that you unpacked as root on the server and you might noticed it just now, as this would explain a non existing UID.
     

Share This Page