1

I am using an NGINX server to host a static website exposed to the open internet. While glancing through the access logs I came across a cluster of requests for resources ending with .env, e.g:

"GET /bedesk1.1/.env HTTP/1.1"
"GET /test/bedesk1.1/.env HTTP/1.1"
"GET /.env HTTP/1.1"
"GET /.env.local HTTP/1.1"
"GET /database/.env HTTP/1.1"
"GET /public/.env HTTP/1.1"
"GET /admin/.env HTTP/1.1"
"GET /api/.env HTTP/1.1"
"GET /API/.env HTTP/1.1"
"GET /blog/.env HTTP/1.1"
"GET /.env.backup HTTP/1.1"
"GET /.env.save HTTP/1.1"
"GET /app/.env HTTP/1.1"
"GET /dev/.env HTTP/1.1"
"GET /env/.env HTTP/1.1"
"GET /core/.env HTTP/1.1"

I assume this is a scripted web-crawler looking for .env files in commonly used resource paths.

  • Does anybody have any ideas what they were looking for?
  • What would they hope to do with that information if they had found it?
  • Under what circumstances would those resources actually exist and be accessible from the web?
Rexxyboy
  • 13

1 Answers1

2

They were looking for .env files, commonly holding environment variables used in e.g. docker deployments. Such files typically contain credentials for databases and so forth, and would thus be of large interest to any attacker.

Such files should normally NOT be accessible from the web, but misconfigurations happen all the time...

HBruijn
  • 84,206
  • 24
  • 145
  • 224
vidarlo
  • 11,723