Originally posted by unSpawn
The files are nearly the same like the "/usr/lib/cracklib_dict.*"-files.
Those hwm, pwd and pwi files can be the result of making dictionaries for cracking password (purpose good or bad).
What services run on the box? What version are they (IOW, are they patched)? Are they publicly accessable? Did you shut down all publicly accessable services while "investigating"? Did you check auth files, system, login and daemon logs for events before, at and after the modification or creation time of these files? Users shell history? Who owns these files? What access rights do they have? Any setuid root binaries around look strange? Anything else on the system that "doesn't feel right" or behaves "strange"?
Sorry, I forgot.
The files are owned by root and have 644 rights.
You are completely right.
They are dictionaries of Cracklib. I found it later yesterday.
But they will be not used (no newer access times (ls- l --time=access)). It was an accidentely compiling of cracklib and (because it is long ago) I don't know why I did it and why I did not delete the files. I checked the usage of the files an deleted them yesterday evening.
The system feels o.k. No other signs of strange things. Really. I read books and forums and check the server logs daily.
In the last weeks we have problem with the stability but(!) we have much more web accesses (4 times more) AND much more spam (3 times more) (spamassassin need much RAM) on the server.
And 512 MB RAM are not enough at the moment. So in special situation the server freezes because of memory problems.
So I see in the logs only shortly before freezing httpd processes with killed because of memory problem.
Then the other services die slowly, around in 30 minutes.
I changed settings for less apache, MySQL and SpamAssassin resources (not easy). Now it ist better but not good.
Thanks for helping!