
Don’t keep backups on your web server, even if you think they’re secret - ohjeez
https://blog.petdance.com/2018/08/10/dont-leave-backup-zips-on-your-web-server/
======
jstarfish
> Today I was looking through the error log for a website I work on and
> noticed a series of 404s, where someone at the same IP address in China was
> asking for files that didn’t exist.

Chinese origin is irrelevant; the behavior described in the article is baked
into every commodity vulnerability scanner on the market these days.

Other target variants include permutations of
(backup|sql|sqldump|dump)\\.(sql|7z|tar|tar\\.gz|gz|rar) expected to be found
in the local directory, as well as *.pem, your raw /.git/ directory and lots
more.

