Here’s a battle-tested list of prime target files to loot on a Linux web server, whether it’s running Apache, Nginx, PHP, Node.js, or Python.
1. Web App Configuration Files
These almost always contain database credentials, API keys, and even OS-level user creds.
| File | Why It Matters |
|---|---|
config.php | PHP apps – MySQL creds, $db_user, $db_pass |
.env | Laravel, Node, Python – secrets, API tokens |
wp-config.php | WordPress – DB creds, keys, salt values |
configuration.php | Joomla – similar to wp-config |
settings.py | Django apps – secret keys, DB creds |
config.js or .json | Node apps – tokens, API keys |
web.config | ASP.NET apps – may reveal DB creds |
local.xml | Magento – often has DB creds in plain text |
Commands:
find /var/www -name "*.php" -type f 2>/dev/null
find /var/www -name ".env" -type f 2>/dev/null
2. Credential Files and Secrets
| File | Description |
|---|---|
.htpasswd | Basic Auth password file |
.htaccess | Sometimes leaks internal paths or rewrites |
.git/config | Remote repo URL (internal repo = goldmine) |
.ssh/id_rsa | SSH private keys (check permissions) |
.bash_history | Can contain curl, ssh, mysql creds |
db_backup.sql or .sql.gz | Dumped DBs with creds and user data |
secrets.yml, secrets.json | App secrets and keys |
Commands:
find /var/www -type f -iname "*.sql" -o -iname "*.bak" -o -iname "*.env" 2>/dev/null
3. Logs and Debug Artifacts
| File | Why It Matters |
|---|---|
error.log / access.log | Leaked requests, login attempts |
debug.log | Stack traces, internal errors |
development.log | Found in Rails, Django, Laravel |
phpinfo.php (if exposed) | Reveals PHP modules, paths, etc. |
Search for log files:
find /var/log -type f -iname "*.log" 2>/dev/null
4. CMS & App-Specific Gold
WordPress:
cat wp-config.php | grep DB_
Joomla:
grep 'public $user' configuration.php
Laravel:
cat .env | grep APP_KEY
NodeJS:
cat config.js | grep -i secret
5. Backup and Forgotten Files
Sysadmins love making backups… and forgetting them.
Look for:
| File | Example |
|---|---|
.bak, .old, .orig | wp-config.php.bak, index.php.old |
.tar, .zip, .gz | Full app folders or source dumps |
copy_of_ or *_backup | Naming tells you it’s a lazy backup |
Search:
find /var/www -type f \( -iname "*.bak" -o -iname "*.zip" -o -iname "*.tar" \) 2>/dev/null
6. Misconfigured Cron Jobs
Sometimes web apps schedule cron jobs that you can tamper with.
Check:
ls -la /etc/cron* /var/spool/cron/
Look for scripts called by cron that are world- or group-writable.
Summary: Priority Looting Targets
| Type | File or Pattern |
|---|---|
| DB creds | config.php, .env, wp-config.php, settings.py |
| Secrets & keys | .env, secrets.yml, .git/config, .ssh/ |
| Logs | debug.log, access.log, development.log |
| Backups | *.bak, *.zip, *.tar.gz, .sql |
| Executables | Anything cron calls that’s writable |
| Shell history | .bash_history, .mysql_history |