So, i tried to demonstrate my roommate how many people push their credentials to github by searching for "password remove" commits.

I decided to show him the file and noticed something interesting. A public IP, and mysql credentials.

I visit the IP and what do i see there, a directory listening with a python script, with injects the database into a webpage (???) and a log of all http requests. Lots of failed attacks aiming at the PHP CGI. Still wondering how they failed on a python server 🤔🤔🤔

Edit phpmyadmin to connect to the mysql database. Success.

Inserted a row telling him the his password is on github. Maybe i should also have told him how to actually remove it. 😅
Yes, root can login from %

This is how far i can get with my current abilities.

Scary how insecure this world is.

Add Comment