Upgrading Ubuntu 17.04 to 17.10 uninstalled some essential php Apache module and my webserver ended up serving PHP files as regular text (ie. with all the “<?php” tags) the whole night. Now, I can presume some ‘GET /nextcloud/config/config.php’ may have aroused a passing by hackbot’s desire.
My installation is in /var/www/html/nextcloud, my data folder is in /private_html.
- how much does it suck? how can it be exploited?
- what must be changed ASAP?
dbuser
,dbpassword
: I get it (even though MariaDB is listening localhost only). What aboutsecret
,updater.secret
(not in the documentation),salt
? and HOW do you change these without spoiling the currently stored passwords and stuff? - how can you folder Apache2 a bit to avoid any such situation? more specifically: I dont want to have to shut down Apache; upgrade Ubuntu; check if
whateverphpmodule
are still doing their job; restart Apache, as my new upgrade routine. I want to upgrade, notice “it’s not working”, and fix it then, without worrying about my mom’s birthday falling in the Internet’s sticky hands. - hi mom