Linux WebShells
Linux Log Locations
Check User Login Privileges
Check to see if user is allowed to login to begin with. If not, they probably shouldn't be running those interactive commands you're investigating.
www-data user
Some web servers run as www-data. Web content should not be owned by this user, or a compromised web server would be able to rewrite a web site. Data written out by web servers will be owned by www-data.
Last updated