Spring Sale! Save 30% on all books w/ code: PLANET24
Web Dev + WordPress + Security

They’re Scanning for Your Backup Files

[ Scanning for Backup Files ] Just a reminder to keep your backup files offline. Do not store them in any publicly accessible space. It’s just not worth the risk man. And if you’re working online, you should know this already. If not, then continue reading to learn why it’s absolutely mission critical.

Game over

If someone finds a backup database file on your server, it’s game over. Any sensitive information stored in the database — like usernames, passwords, financial information, and so forth — can be harvested by thieves and used to make your life miserable. In short:

NEVER store your database/backup files in any public directory.

For years I’ve been seeing endless requests for backup database files. The scammers and thieves must be starving to death because there seems to be an increase in the following types of malicious requests (note that these are all from the same server scan):

http://example.com/db_backup.example.com.sql.gz
http://example.com/db_backup.example.sql.gz
http://example.com/db_backup.sql.gz
http://example.com/db_backup.example.com.sql
http://example.com/db_backup.example.sql
http://example.com/dump.sql
http://example.com/Dump.sql
http://example.com/example.com.sql
http://example.com/example.sql
http://example.com/example.com.bak
http://example.com/example.bak
http://example.com/backup.sql
http://example.com/backup.sql.zip

http://example.com/wp-config.php~
http://example.com/wp-config.php.bak
http://example.com/wp-config.bak.php
http://example.com/configuration.php~

http://example.com/configuration.php.bak
http://example.com/configuration.php.old
http://example.com/wp-config.php.old

http://example.com/_db_.sql
http://example.com/_DB_.sql
http://example.com/_DB_.sql.zip
http://example.com/_DB_.tar.gz
http://example.com/sql.txt

http://example.com/database.sql
http://example.com/localhost.sql
http://example.com/sql.sql
http://example.com/bak.sql

http://example.com/example.com.bak.sql
http://example.com/example.bak.sql

http://example.com/data.sql
http://example.com/1.sql
http://example.com/1.rar
http://example.com/1.tar
http://example.com/1.tar.gz
http://example.com/1.tgz
http://example.com/1.zip

http://example.com/backup.bz2
http://example.com/backup.gz
http://example.com/backup.rar
http://example.com/backup.tar
http://example.com/backup.tar.gz
http://example.com/backup.tgz
http://example.com/backup.zip

http://example.com/dump.rar
http://example.com/dump.sql
http://example.com/dump.sql.gz
http://example.com/dump.sql.tgz
http://example.com/dump.tar
http://example.com/dump.tar.gz
http://example.com/dump.tgz
http://example.com/dump.zip

http://example.com/home.rar
http://example.com/home.tar
http://example.com/home.tar.gz
http://example.com/home.tgz
http://example.com/home.zip

http://example.com/htdocs.tar
http://example.com/htdocs.tar.gz
http://example.com/htdocs.zip
http://example.com/htodcs.rar

http://example.com/public_html.rar
http://example.com/public_html.tar
http://example.com/public_html.tar.gz
http://example.com/public_html.tgz
http://example.com/public_html.zip

http://example.com/site.rar
http://example.com/site.tar
http://example.com/site.tar.gz
http://example.com/site.tgz
http://example.com/site.zip

http://example.com/upload.rar
http://example.com/upload.zip

http://example.com/web.rar
http://example.com/web.tar
http://example.com/web.tar.gz
http://example.com/web.zip

http://example.com/www.gz
http://example.com/www.rar
http://example.com/www.tar
http://example.com/www.tar.bz2
http://example.com/www.tar.gz
http://example.com/www.tgz
http://example.com/www.zip

http://example.com/www.example.com.gz
http://example.com/www.example.com.rar
http://example.com/www.example.com.sql
http://example.com/www.example.com.sql.gz
http://example.com/www.example.com.tar
http://example.com/www.example.com.tar.gz
http://example.com/www.example.com.tgz
http://example.com/www.example.com.zip
http://example.com/www.example.com.7z
http://example.com/www.example.gz
http://example.com/www.example.rar
http://example.com/www.example.sql
http://example.com/www.example.sql.gz
http://example.com/www.example.tar
http://example.com/www.example.tar.gz
http://example.com/www.example.tgz
http://example.com/www.example.zip
http://example.com/www.example.7z

http://example.com/example.com.gz
http://example.com/example.com.rar
http://example.com/example.com.sql
http://example.com/example.com.sql.gz
http://example.com/example.com.tar
http://example.com/example.com.tar.gz
http://example.com/example.com.tgz
http://example.com/example.com.zip
http://example.com/example.com.7z

http://example.com/db_backup.example.com.sql.gz
http://example.com/db_backup.example.sql.gz
http://example.com/db_backup.sql.gz
http://example.com/db_backup.example.com.sql
http://example.com/db_backup.example.sql

http://example.com/backup/backup.bz2
http://example.com/backup/backup.gz
http://example.com/backup/backup.rar
http://example.com/backup/backup.tar
http://example.com/backup/backup.tar.gz
http://example.com/backup/backup.tgz
http://example.com/backup/backup.zip

If that’s not desperation, I don’t know what is.

Save your resources

So the grease bags are scanning for a wide variety of backup files, including requests for just about every combination of commonly used file names and types. Harvesting the previous set of URI requests, we get the following list of extensions:

.com, .sql, .gz, .bak, .zip, .php, .php~, .old, .rar, .tar, .tgz, .bz2, .7z, .txt

Most sites make use of some of these types, such as .php, .zip, and .txt, but many others such as .bak, .com, and .old generally serve no purpose in the public realm. This suggests that you could save some bandwidth and resources by blocking some of these requests outright. For example, you could add the following slice of .htaccess:

RedirectMatch 403 \.(com|sql|bak|php~|old|rar|tar|tgz|bz2|7z)$

Of course, that’s just an example; you would want to further trim the list of file types based on the actual resources available at your site. But the example should give you an idea of how to throttle some of the waste associated with endless scans for backup files.

Honestly, the backup scans are just ridiculous. And the saddest thing is that there must be enough people leaving their backup files online for these sorts of scans to be worthwhile. Really scary if you think about it.

Use a Firewall

Also FYI, my 6G Firewall includes some built-in protection against many types of backup scans. Specifically, requests for any of the following file types are blocked cold:

.bak, .out, .sql, .tar, .rar

So if you’re running 6G and get hit with a malicious scan for backup/database files, you’re protected automatically against a huge number of wasteful requests. And if .htaccess isn’t possible, my firewall plugin is dead easy to customize, so you can block whichever of these file extensions make sense for your site.

About blocking the more commonly used file types, such as .php and .zip, well, that’s up to you. But one thing that is absolutely critical regardless of whether you’re blocking these sorts of specific requests or not: NEVER store your database/backup files in any public directory. Otherwise it’s game over folks.

About the Author
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
.htaccess made easy: Improve site performance and security.

4 responses to “They’re Scanning for Your Backup Files”

  1. Adam Robertson 2016/05/07 12:20 pm

    Yep!

    I have also been moving my servers that do the backups behind an IPTABLES firewall so they are only ssh or vpn accessible.

    My front-end website servers are all going to be nothing but front-end website files, backed up nightly.

    Lock it down!!!

  2. well I’m using UpdraftPLus für Backups and the directory to store the backup-files is using deny from all in .htaccess. Is this enough protection?

    Cheers, Connie

    • Jeff Starr 2016/05/08 9:26 am

      Yes of course .htaccess-level of protection is fine. As long as the backup files are not publicly accessible, it’s all good. Believe it or not some people just leave their backup databases in a public directory, and that’s what the bad guys are targeting. I had to write this article to help educate those who are at risk. In any case, yes definitely Deny from All is more than sufficient for protecting your files.

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
SAC Pro: Unlimited chats.
Thoughts
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.