Have you received this email?
Hello, My name is Charles Bourasseau, and I'm an independent IT security expert. I noticed a security issue on your website http://example.org. I was able to access a lot of files that contain sensitive data. I attached a screenshot of the files I found to this email. I am sorry to be the bearer of bad news, and I would be happy to share more information immediately, so that your team may fix this, can you please put me in touch with the right person to speak to about this? For complete transparency, I'd like to share with you that my work is based on bug bounty programs and financial rewards in exchange for security advice. This email is personal and in no way related to any of my employers. I'm on standby to help you resolve this as quick as possible, I look forward to hearing from you. Best Regards, Charles Bourasseau
It’s more than a bit shady – and my colleague Mathieu Lutfy did a great write-up of the issue on his blog.
If you’re using Icinga2, here’s an easy way to see if you have a git repository in your website’s root exposed. Add this service check:
# If this returns HTTP 200, you have a problem. You want HTTP 4xx.
apply Service "Exposed Git: " for (http_vhost => config in host.vars.http_vhosts) {
import "generic-service"
check_command = "http"
vars.http_vhost = config.http_vhost
vars.http_ssl = config.http_ssl
vars.http_uri = "/.git/config"
vars.http_expect = "HTTP/1.1 4"
}
This presumes your hosts define multiple vhosts per host in a format like:
vars.http_vhosts["www.megaphonetech.com"] = {
http_uri = "/"
http_ssl = true
http_vhost = "www.megaphonetech.com"
http_expect = "HTTP/1.1 200 OK"
cms = "wordpress"
}