[thegoleffect]

I don’t know for certain, not op, but sounds like since they pushed the env file, it may have been accessible via URI and since it had all the credentials and host info to access the database, thats all the attacker messed with... and that is more than enough.

[ngranja19]

Haha exactly that was what happened (I guess). My mistake was not only pushing the .env file but also how I stored my Laravel files in the server leaving everything in a public directory where everyone can access to it... :Facepalm:

[gentleman11]

I usually make sure my .env files are in my .gitignore, but honestly its just my memory that prevents me from slipping up one day.

Is there an automated strategy that protects against slipups like this?

[enitihas]

Use a git template for .git/info/exclude. This will make sure that every new repo you create or clone will have by default exclude list. Git templates can be used for other stuff too. I use them for having a pre-push hook to run a clean build.

[throwaway8941]

Put them into your global .gitignore

    echo -e >>~/.config/git/config '[core]\n    excludesFile = ~/.config/git/gitignore'
    echo >>~/.config/git/gitignore '.env'

[makison]

Laravel should/does have it on ignore by default.