Ask HN: My web app was hacked today – Bad experiences and how to prevent them?
After 5 hours I was able to rebuild my DB, but unluckily I lost all my historical data within my 400+ users data among them.
Of course, there are some lessons learned about it:
Don't forget to set up regular backups. I know, I was really silly for not doing it, but I never thought that someone would hack my insignificant website. So, stop what you are doing, and go and set up some way to back up your DBs and significant files at least once a day. Some providers offer it for a few extra bucks a month. Don't be like me, maybe your product is not generating thousands of dollars and you think that no one will waste his time hacking your site, but remember that is important for you and that's is enough.
After looking into how that could happen, I realized that I pushed to my server my .env file with all the database credentials in it, which Is pretty simple access to it especially if you use Laravel. I found out that is a pretty common mistake, If you google DB_USERNAME filetype:env you will find thousands of Laravel env files exposed Therefore, remember to actually set your variables from the .env file as environmental variables in your server and destroy any .env file that is around there.
For sure there are more lessons to learn about this, but I realized that I Would like to hear if some of you have had bad experiences like this one, and what do you recommend to prevent them?.
Cheers, Nico
49 comments
[ 4.9 ms ] story [ 117 ms ] threadSmall things like this are one of the reasons I founded the PHP hosting platform, Amezmo where secure production ready container instances can be launched in seconds.
Mistakes like this happen, but it takes courage to post about it. Thanks for sharing it.
Laravel is a great framework, check out Laracasts.com and forge.laravel.com, it's a deployment tool that will spin up a VPS on AWS, Digital Ocean, etc. with the proper configuration.
Is there an automated strategy that protects against slipups like this?
For similar reasons I use a cloud backup for home PC files that just syncs it all up. When I was doing it manually it was a once a year affair because: too busy!
You don't really need server backups/images if you document/script your server setup properly.
Top hit on Google for how to setup a SSH tunnel for MySQL: https://linuxize.com/post/mysql-ssh-tunnel/
If your database is open to 127.0.0.1/{8,24,32}, it is open only to the local host; that is the non-routable localhost address and it's not accessible to the internet.
If your database is open to 0.0.0.0/0, it is open to the internet and anyone can attempt login. This is bad. Presumably you also still need a password, but never assume. Always have defense in depth - at least two things need to go wrong/be wrong before you're compromised.
Tried going to clientsite.com/api/.env on a whim, and leapt out of bed.
404 - GET /admin/.git/config 404 - GET /shop/.git/config 404 - GET /beta/.git/config etc..
or adhoc backups using the current date -- stuff that you think nobody would even try.
404 - GET /2020-02-27.zip 404 - GET /backup20200227.zip 404 - GET /backup.zip etc...
No webserver should be serving .folders in it's default config.
Good. Perhaps more people will learn how to properly configure/ deploy their servers and apps.
I would recommend you get familiar with OWASP, and especially the 'top ten' security issues that they publish. See https://owasp.org/www-project-top-ten/
Sorry it happened to you, but it’s a good lesson learned. Better luck in the future.
I had a side project compromised through some supplementary php files that came with a javascript library. Luckily, i didn't have any users on it.
Keep everything up to date, including your server software, composer, javascript libraries etc.
Make sure you run a clamav on linux, it will catch any intrusion writing scammy files and rename them.
All passwords unique and made using a password generator. That way, if you are compromised it is only one password not the keys to everything.
Don't keep non-user stuff with predictable uri (like /admin/ /phpmyadmin/ etc.)
One-way backups.. Allow your backup server behind a firewall to login to your site and do hourly backups of all the data.
Disallow access to any files beginning with dot in your webserver configuration. I'm pretty sure nginx does this by default.
https://www.novochem.net/.env
Laravel should not even render this .env file by default, way too many results.
Laravel has no github issues, so I don't know how to let the author know. https://github.com/laravel/laravel Someone ping him on twitter
Afaik PHP is not the webserver.