I was trying to " google hack " my site to see what happened (I recently read about it), I googled for site:www.x.com intitle:"index of" "server at" + db
.
And found a .inc
file in the three directory.
<?php
class clsSettings
{
var $site = "localhost";
var $sitedb = "x";
var $siteuser = "x";
var $sitepass = "x";
} /* settings */
?>
Can someone access my database from outside my server?
Should I be worried about this sensitive info exposure?
Note: I removed sensitive info with X
s.
That's why you don't name your PHP files anything other than .php
. You can configure the server to parse .inc
files, or any file extension, as PHP if you wanted, but this isn't a common configuration, especially on shared servers.
If you can see the contents of your files that contain your password, then so can the rest of the world. Also, Aziz's comment about changing robots.txt does not help you at all. In fact, you can call attention to the things you are hiding this way, as anyone trying to get into your site won't follow the rules within robots.txt.
It is also common to not allow automatic directory indexing, unless you need it for some specific reason.
I trust you fixed this issue by renaming the file extension to .php.
Execute this command with a new password on your server (ie though SSH):
mysqladmin -u root -p 'oldpassword' password newpass
Then change the password of all the referenced PHP files.
Also you may want to create a "Robot trap" to stop bots that do not follow your robots.txt file, see http://www.fleiner.com/bots/#trap for more info. However note that this is a weak protection mesure.
Also you can add this to your .htaccess in the WWW root to stop directory listings:
Options -Indexes
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.