Check to see if user is allowed to login to begin with. If not, they probably shouldn't be running those interactive commands you're investigating.
www-data user
Some web servers run as www-data. Web content should not be owned by this user, or a compromised web server would be able to rewrite a web site. Data written out by web servers will be owned by www-data.