Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

requincreative's avatar

Laravel 8 Site Was Hacked

Hey All,

I woke up this morning to see that one of my Laravel 8 sites was hacked that is hosted on Digital Ocean and managed with Forge and was being redirected to another site with a .xyz extension

There were two file injections in the public folder:

index.php had been overwritten and another randomly named file had been uploaded.

I removed the offending file and replaced the default index.php file to restore the site

I had inadvertently left my APP_DEBUG set to TRUE which has been fixed.

What else can I do to ensure that they cannot get back in?

0 likes
9 replies
requincreative's avatar

I am looking now but admittedly I don't really know what I am looking for

CorvS's avatar

@requincreative For starters you could check /var/log/auth.log (sudo rights required most likely). Additionally, as @tray2 suggested, check the permissions of your public folder using ls -l. You should see the permissions listed at the beginning of the list (like drwxrwxr-x).

Tray2's avatar

What happens if you do?

https://yoursite.com/.env

Do you get a 404 or do you see your env file?

Make sure you have the correct permissions on your public folder. It should not be 777.

newbie360's avatar

nothing can say, write a app is easy, write a safe app is hard ;)

review all your code, Logic, Validation, Laravel doc security section, all model has filled [$value], .... many and many

requincreative's avatar

Apparently they got all 5 Laravel Sites I have hosted on the same tenant on DO through Forge. I have cleaned them all up and changed permissions on public folder, turned APP_DEBUG = FALSE.

I see in the Access Log where it looks like the offending IP was from Russia

5.188.210.227 - - [27/Jan/2021:07:56:40 +0000] "\x05\x01\x00" 400 157 "-" "-" 5.188.210.227 - - [27/Jan/2021:07:58:01 +0000] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 157 "-" "-" 5.188.210.227 - - [27/Jan/2021:07:58:57 +0000] "GET http://5.188.210.227/echo.php HTTP/1.1" 400 657 "https://www.google.com/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36"

I am not sure what more to do.

martinbean's avatar

What else can I do to ensure that they cannot get back in?

@requincreative If you left APP_DEBUG to true then consider all of your environment variables compromised. That means you need to change your database credentials, rotate your API keys and other secrets immediately. Do this for everything.

Even with just say, a Mailgun API key, an attacker can now use your Mailgun account to send spam emails and it’s going to be your domain’s reputation that will be harmed when recipients start marking mails as spam en masse.

For Forge, change your account password and enable 2FA if you haven’t already. It’s good practice to use 2FA on all sites that support it, and to also use unique email address and password combinations for each site to prevent credential stuffing attacks. A lot of email services will allow you to create aliases. For example, with a Google-based account, you can add an alias with a plus symbol after the first part of your email address, so instead of using just [email protected] you can use [email protected] instead.

Next, you need to determine just how the attacker was able to actually get code on your server. So check the file permissions of all files on your server, and then check any parts of your application that handle file uploads for vulnerabilities.

Finally, depending on where in the world you are located, you may now have a legal duty to report this breach to your local authorities. Here in the UK you would need to register the breach with the ICO. A lot of other countries will have similar practices, particularly developed nations like those in the EU and North America.

4 likes

Please or to participate in this conversation.