Here's what I found
- two hidden directories in /var/tmp with contents looking like phishing for bank details
- /var/lock/ttoy being pretty empty except for hidden directories
- /var/lib/apache2/fastcgi contains the following with the same timestamp as the /var/lock/ttoy above
srwxrwx--- 1 root www-data 0 Nov 11 21:22 fcgi
Should they be removed?
That last "file" is the fcgi socket that you need for the webadmin interface. It won't be of much use to a hacker since it only applies to the location of the webadmin and this is root owned (i.e www-data cannot inject other php scripts in that location)
For some reason I had 11 apache2 instances running as www-data despite rebooting after applying 188.8.131.52 and having removed cron-jobs for www-data etc. After yet another reboot there are now 6 instances of apache2 running, probably mapping to the admin interface, the album, file manager, /home/web and other defaults.
That is normal for Apache. It is not related to any specific vhost instance or web folder.
... but I'm grateful for any hint on how to detect if any of these ar not ok and how to locate their configuration files etc.
See previous answer.
I found that /etc/apache2/cacert.pem is updated yesterday morning.
Is that of any relevance?
That I guess would be a coincidence. It probably expired and was replaced by the update for that reason.
gonk wrote:I suppose that the updated /etc/apache2/conf.d/admin.conf is due to the 184.108.40.206 update.
The data stamp suggests so yes, but it doesn't seem changed to me. Annoyingly some of the config scripts in the webadmin have been changed, so now my alternate root is misformatted (again