hard link backup failed

[tincboy]

Hello,

Today I got this error on daily backups: "The following hard links have been found"
I can see one of my new users have files in his public_html with names like "etc/passwd etc/quota ..." but all files are empty.
Is he trying to hack the server's passwords?
Is my DirectAdmin safe now?
What should I do to prevent this kind of attacks?

 

[scsi]

It seems like he was trying to create links to system files. Either he has an infected site or he did it deliberately.

 

[tincboy]

How can I secure the server in front of this king of attacks?

 

[nobaloney]

Standard DirectAdmin servers are already protected; that's why the files are empty. If you believe our client is trying to compromise your server, then cancel his account.

If you're not sure about him, change his password but don't send him the new one; if he's attempting to compromise your server it's likely he'll go away quietly, figuring you've caught him.

Jeff