Active Expoits001: Prospecting for sensitive files

Active-exploits001-CMS-Settings.txt

# Examples of real attempts to access sensitive files and backups
/sites/default/settings
/sites/default/settings.php~
/sites/default/settings.php.txt
/sites/default/settings.php.old
/sites/default/settings.php_old
/sites/default/settings.php-old
/sites/default/settings.php.save
/sites/default/settings.php.swp
/sites/default/settings.php.swo
/sites/default/settings.php_bak
/sites/default/settings.php-bak
/sites/default/settings.php.original
/sites/default/settings.php.orig
/sites/default/settings.php.bak
/sites/default/settings.save
/sites/default/settings.old
/sites/default/settings.bak
/sites/default/settings.orig
/sites/default/settings.original
/sites/default/settings.txt

Active-exploits001-deny-dir-listing.conf

# Block access to directories without a default document.
<IfModule mod_autoindex.c>
    Options -Indexes
</IfModule>

Active-exploits001-deny-hidden-files.conf

# Block access to all hidden files and directories with the exception of
# the visible content from within the `/.well-known/` hidden directory.

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
    RewriteCond %{SCRIPT_FILENAME} -d [OR]
    RewriteCond %{SCRIPT_FILENAME} -f
    RewriteRule "(^|/)\." - [F]
</IfModule>

Active-exploits001-Other-sensitive-files.txt

/CHANGELOG.txt
/.bash_profile
/.bashrc
/.db_config
/.default
/.logs
/.old
/.private
/.queries
/.query
/.secret
/.sql
/.temp
/.git
/phpinfo.php
/pinfo.php
/info.php

Active-exploits001-protect-extensions.conf

# deny access to files by extension
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
<IfModule !mod_authz_core.c>
    Order allow, deny
</IfModule>

# Apache ≥ 2.3
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
</FilesMatch>

Active-exploits001-protect-phptxt.conf

# deny access to txt files and php files other than specific ones
<FilesMatch "([^(xxrobots|robots)].*\.txt|[^(index|channel)].*\.php)$">
# Apache < 2.3
<IfModule !mod_authz_core.c>
    Require valid-user
    Order deny,allow
    Deny from all
    Allow {your-static-ip}
    Allow from 127.0.0.1
    Satisfy Any
</IfModule>

# Apache ≥ 2.3
<IfModule mod_authz_core.c>
    AuthName "Restricted"
    AuthUserFile /path/to/passwdfile
    AuthGroupFile /path/to/.htpasswds/groupfile
    AuthType basic
    <RequireAny>
        <RequireAll>
            <RequireAny>
                Require ip {your-static-ip}
                Require ip 127.0.0.1
                Require valid-user
                Require group {your secure group}
            </RequireAny>
        </RequireAll>
    </RequireAny>
</IfModule>
</FilesMatch>

Active-exploits001-readme.MD

Examples of files actively prospected for by malicious agents. Refs for a blog post see http://pastebin.com/Tdva8DUX