Apache exposed my installation files (including config.php). What should be done?

Upgrading Ubuntu 17.04 to 17.10 uninstalled some essential php Apache module and my webserver ended up serving PHP files as regular text (ie. with all the “<?php” tags) the whole night. Now, I can presume some ‘GET /nextcloud/config/config.php’ may have aroused a passing by hackbot’s desire.

My installation is in /var/www/html/nextcloud, my data folder is in /private_html.

  1. how much does it suck? how can it be exploited?
  2. what must be changed ASAP? dbuser, dbpassword: I get it (even though MariaDB is listening localhost only). What about secret, updater.secret (not in the documentation), salt? and HOW do you change these without spoiling the currently stored passwords and stuff?
  3. how can you folder Apache2 a bit to avoid any such situation? more specifically: I dont want to have to shut down Apache; upgrade Ubuntu; check if whateverphpmodule are still doing their job; restart Apache, as my new upgrade routine. I want to upgrade, notice “it’s not working”, and fix it then, without worrying about my mom’s birthday falling in the Internet’s sticky hands.
  4. hi mom :heart: