Linux WebShells
Last updated
What’s different between /bin/false and /sbin/nologin as nologin user’s shell – The Geek DiaryLast updated
Check to see if user is allowed to login to begin with. If not, they probably shouldn't be running those interactive commands you're investigating.
Some web servers run as www-data. Web content should not be owned by this user, or a compromised web server would be able to rewrite a web site. Data written out by web servers will be owned by www-data.