Just as the title says, we have a website that uses third party smtp credentials to send emails, but, we keep getting our smtp credentials hacked and used to send spams emails, which results in our smtp account suspension, we first used ses, and then figured that we need to add spf,dkim and dmarc, after we added them, we moved to sendgrid, got hacked again, teammates think it is because of weak password to access sendgrid, but i do not think so, because password test says it is strong and requires 2 thousand years to crack, we do not really know the problem, we are using laravel 7 for our website, how is the hacker able to access .env file ?
Help, please.
Are you using nginx? I had the same issue. Following the tip of @PetrChloupek, I analysed the access logs (/var/log/nginx/access.log) and found out that sometimes an agent could get a 200 out of "/.env". It turned out that the configuration of the nginx was so that when using just the ip (v.g. 12.244.21.21 instead of "mywebsite.com") the malicious agent hitted the /var/www/html and not the public folder, as specified in the nginx conf file, since this dealt only with the specified host (v.g."mywebsite.com").
There is a known issue with developers leaving
APP_DEBUG = trueon live systems, this means you can trigger a debug page output that contains the.envkeys and values.https://www.mailgun.com/blog/a-word-of-caution-for-laravel-developers/
An easy way to trigger the issue, if vulnerable, is make an unsupported request, e.g. a POST / PUT request to a known GET route such as the site index '/', this will in cases where DEBUG is set to true output all the envrionment variables.