Linux WebShells

Linux Log Locations

How do I find Apache http server log files?Code A Site Blog

Check User Login Privileges

What’s different between /bin/false and /sbin/nologin as nologin user’s shell – The Geek Diary

NoLogin Difference

Check to see if user is allowed to login to begin with. If not, they probably shouldn't be running those interactive commands you're investigating.

www-data user

Some web servers run as www-data. Web content should not be owned by this user, or a compromised web server would be able to rewrite a web site. Data written out by web servers will be owned by www-data.