Can someone access my database from outside my server?

Asked Apr 22 '12 at 17:14

Active Aug 17 '14 at 19:56

Viewed 567 times

1

I was trying to "google hack" my site to see what happened (I recently read about it), I googled for site:www.x.com intitle:"index of" "server at" + db.

And found a .inc file in the three directory.

<?php 
    class clsSettings
    { 
        var $site   = "localhost"; 
        var $sitedb = "x"; 
        var $siteuser = "x"; 
        var $sitepass     = "x";
    } /* settings */
?>

Can someone access my database from outside my server?

Should I be worried about this sensitive info exposure?

Note: I removed sensitive info with Xs.

edited Aug 17 '14 at 19:56

Sam

7,252
16
46
65

asked Apr 22 '12 at 17:14

Yim

115
6

Yes. Exposing such information increases the risk on your website. and Yes, you can tell google to stop indexing certain pages/paths using the robots.txt file (http://support.google.com/webmasters/bin/answer.py?hl=en&answer=156449), but you should prevent access to this information from the server itself. – Aziz Apr 22 '12 at 17:16
possible duplicate of [Storing script files outside web root](http://stackoverflow.com/questions/3034474/storing-script-files-outside-web-root) – cmbuckley Apr 22 '12 at 17:18
@Aziz but can someone login to my DB? – Yim Apr 22 '12 at 17:18
Those files should be stored outside of your document root do they're not publicly accessible – John Conde Apr 22 '12 at 17:18
@Yim: it depends on many factors, but exposing your password will increase the risk significantly. – Aziz Apr 22 '12 at 17:19

2 Answers2

3

That's why you don't name your PHP files anything other than .php. You can configure the server to parse .inc files, or any file extension, as PHP if you wanted, but this isn't a common configuration, especially on shared servers.

If you can see the contents of your files that contain your password, then so can the rest of the world. Also, Aziz's comment about changing robots.txt does not help you at all. In fact, you can call attention to the things you are hiding this way, as anyone trying to get into your site won't follow the rules within robots.txt.

It is also common to not allow automatic directory indexing, unless you need it for some specific reason.

answered Apr 22 '12 at 17:19

Brad

159,648
54
349
530

well, robots.txt does prevent google from indexing it (assuming google indexers respect robots.txt), but I agree, that is not the solution to the security problem that he has. thanks. (+1) – Aziz Apr 22 '12 at 17:21

1

I trust you fixed this issue by renaming the file extension to .php.

Execute this command with a new password on your server (i.e. though SSH):

mysqladmin -u root -p 'oldpassword' password newpass

Then change the password of all the referenced PHP files.

Also you may want to create a "Robot trap" to stop bots that do not follow your robots.txt file, see http://www.fleiner.com/bots/#trap for more info. However note that this is a weak protection mesure.

Also you can add this to your .htaccess in the WWW root to stop directory listings:

Options -Indexes

answered Apr 22 '12 at 17:23

mjsa

4,221
1
25
35