What is ".git/config"?

Forum Moderators: phranque

Message Too Old, No Replies

What is ".git/config"?

Seeing lots of HTTP requests for it

Zippy1970

9:08 pm on May 23, 2024 (gmt 0)

So I'm seeing a lot of malicious traffic after having installed Hotjar [webmasterworld.com] on my site. Most traffic is looking for random vulnerabilities (which they won't find since everything on my server, including Wordpress and all its plugins are up to date). But I also see a lot of single hits on ".git/config":

GET /common/.git/config HTTP/1.1
GET /aomanalyzer/.git/config HTTP/1.1
GET /.git/config HTTP/1.1

which all result in 404 not found because I don't have anything like that on my server.

But why are they requesting that file? What's so special about it?

lucy24

10:38 pm on May 23, 2024 (gmt 0)

<tangent>
If you’re seeing a lot of requests for a file you don’t have (and even if you did have it, it would be for your own use and not some passing stranger), and you don’t want them to realize you’re onto them, you might like to return a 404 manually. It saves your server the trouble of physically looking for the file. If you don’t know how to do this, ask in the appropriate subforum--Apache, IIS or whatever it may be.
</tangent>

When I see requests like this, for files that I don’t have, never have had and never will have, I generally assume they’re associated with some CMS and leave it at that.