Monitoring against the Charles Bourasseau security exploit with Icinga2

Have you received this email?


My name is Charles Bourasseau, and I'm an independent IT security expert. I
 noticed a security issue on your website

I was able to access a lot of files that contain sensitive data.
 I attached a screenshot of the files I found to this email.

I am sorry to be the bearer of bad news, and I would be happy to share more
 information immediately, so that your team may fix this, can you please put
 me in touch with the right person to speak to about this?

For complete transparency, I'd like to share with you that my work is based
 on bug bounty programs and financial rewards in exchange for security

This email is personal and in no way related to any of my employers.

I'm on standby to help you resolve this as quick as possible, I look
 forward to hearing from you.

Best Regards,
 Charles Bourasseau

It’s more than a bit shady – and my colleague Mathieu Lutfy did a great write-up of the issue on his blog.

If you’re using Icinga2, here’s an easy way to see if you have a git repository in your website’s root exposed.  Add this service check:

# If this returns HTTP 200, you have a problem. You want HTTP 4xx.
apply Service "Exposed Git: " for (http_vhost => config in host.vars.http_vhosts) {
 import "generic-service"

check_command = "http"
 vars.http_vhost = config.http_vhost
 vars.http_ssl = config.http_ssl
 vars.http_uri = "/.git/config"
 vars.http_expect = "HTTP/1.1 4"

This presumes your hosts define multiple vhosts per host in a format like:

 vars.http_vhosts[""] = { 
 http_uri = "/" 
 http_ssl = true 
 http_vhost = "" 
 http_expect = "HTTP/1.1 200 OK" 
 cms = "wordpress"