Are GET requests to /.git/HEAD from "bad actors"?
add tag
Pax 
I deployed an API yesterday to DigitalOcean using Docker modelled after concepts in [dockerswarm.rocks](https://dockerswarm.rocks/) and this [cookiecutter](https://github.com/tiangolo/full-stack-fastapi-postgresql) --- which uses 2 separate traefik containers: one as load balancer and the other as proxy.

Today, when I redeployed the API, the logs show GET requests `/.git/HEAD` only 3 minutes after the stack (backend, pgadmin, etc.) was recreated.


Googling about “GET requests to /.git/HEAD” doesn’t give much aside from this [article](https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/) about not exposing your .git folder.

Which made me wonder whether these are coming from bad actors? If so, how did they “discover” my domain so quickly? 

I’m thinking my domain/subdomains are known instead of just the IP address since different containers (pgAdmin and the backend) are getting hit:

**PgAdmin**

```
| 10.0.0.2 - - [09/Jul/2020:16:06:16 +0000] "GET /.git/HEAD HTTP/1.1" 404 232 "-" "-"
| 2020-07-09 16:06:16,156: ERROR	flask.app:	404 Not Found: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.
```

**Backend**

```
| 10.0.6.3:49526 - "GET /.git/HEAD HTTP/1.1" 404
| 10.0.6.3:49526 - "GET /.git/HEAD HTTP/1.1" 404
| 10.0.6.3:49526 - "GET /.git/HEAD HTTP/1.1" 404
| 10.0.6.3:49526 - "GET /.git/HEAD HTTP/1.1" 404
```

**Proxy**

```
| 10.0.1.29 - - [09/Jul/2020:16:07:35 +0000] "GET /.git/HEAD HTTP/1.1" 404 22 "-" "-" 5 "stag-dicery-margret-pw-backend-http@docker" "http://10.0.6.6:80" 2ms
| 10.0.1.29 - - [09/Jul/2020:16:07:35 +0000] "GET /.git/HEAD HTTP/1.1" 404 22 "-" "-" 6 "stag-dicery-margret-pw-backend-http@docker" "http://10.0.6.6:80" 1ms
| 10.0.1.29 - - [09/Jul/2020:16:07:36 +0000] "GET /.git/HEAD HTTP/1.1" 404 22 "-" "-" 7 "stag-dicery-margret-pw-backend-http@docker" "http://10.0.6.6:80" 1ms
| 10.0.1.29 - - [09/Jul/2020:16:07:36 +0000] "GET /.git/HEAD HTTP/1.1" 404 22 "-" "-" 8 "stag-dicery-margret-pw-backend-http@docker" "http://10.0.6.6:80" 1ms
```
**Load Balancer**

```
|  time="2020-07-09T16:03:08Z" level=info msg="Configuration loaded from flags."
...
|  10.0.0.2 - - [09/Jul/2020:16:06:09 +0000] "GET /.git/HEAD HTTP/1.0" 301 17 "-" "-" 11 "stag-dicery-margret-pw-pgadmin-http@docker" "-" 1ms
|  10.0.0.2 - - [09/Jul/2020:16:06:09 +0000] "GET /.git/HEAD HTTP/1.0" 301 17 "-" "-" 12 "stag-dicery-margret-pw-pgadmin-http@docker" "-" 0ms
|  10.0.0.2 - - [09/Jul/2020:16:06:09 +0000] "GET /.git/HEAD HTTP/1.0" 404 232 "-" "-" 14 "stag-dicery-margret-pw-pgadmin-https@docker" "http://10.0.1.34:5050" 5847ms
|  10.0.0.2 - - [09/Jul/2020:16:06:09 +0000] "GET /.git/HEAD HTTP/1.0" 404 232 "-" "-" 13 "stag-dicery-margret-pw-pgadmin-https@docker" "http://10.0.1.34:5050" 5975ms
|  10.0.0.2 - - [09/Jul/2020:16:06:16 +0000] "GET /.git/HEAD HTTP/1.0" 404 232 "-" "-" 15 "stag-dicery-margret-pw-pgadmin-https@docker" "http://10.0.1.34:5050" 17ms
|  10.0.0.2 - - [09/Jul/2020:16:06:16 +0000] "GET /.git/HEAD HTTP/1.0" 404 232 "-" "-" 16 "stag-dicery-margret-pw-pgadmin-https@docker" "http://10.0.1.34:5050" 16ms
...
|  10.0.0.2 - - [09/Jul/2020:16:07:35 +0000] "GET /.git/HEAD HTTP/1.0" 302 5 "-" "-" 25 "stag-dicery-margret-pw-proxy-http@docker" "-" 0ms
|  10.0.0.2 - - [09/Jul/2020:16:07:35 +0000] "GET /.git/HEAD HTTP/1.0" 302 5 "-" "-" 26 "stag-dicery-margret-pw-proxy-http@docker" "-" 0ms
|  10.0.0.2 - - [09/Jul/2020:16:07:35 +0000] "GET /.git/HEAD HTTP/1.0" 404 22 "-" "-" 27 "stag-dicery-margret-pw-proxy-https@docker" "http://10.0.1.32:80" 4ms
|  10.0.0.2 - - [09/Jul/2020:16:07:35 +0000] "GET /.git/HEAD HTTP/1.0" 404 22 "-" "-" 28 "stag-dicery-margret-pw-proxy-https@docker" "http://10.0.1.32:80" 3ms
|  10.0.0.2 - - [09/Jul/2020:16:07:36 +0000] "GET /.git/HEAD HTTP/1.0" 302 5 "-" "-" 29 "stag-dicery-margret-pw-proxy-https@docker" "-" 0ms
|  10.0.0.2 - - [09/Jul/2020:16:07:36 +0000] "GET /.git/HEAD HTTP/1.0" 404 22 "-" "-" 30 "stag-dicery-margret-pw-proxy-https@docker" "http://10.0.1.32:80" 3ms
|  10.0.0.2 - - [09/Jul/2020:16:07:36 +0000] "GET /.git/HEAD HTTP/1.0" 404 22 "-" "-" 31 "stag-dicery-margret-pw-proxy-https@docker" "http://10.0.1.32:80" 2ms
```
Top Answer
Jack Douglas 
Yes, undoubtedly — it doesn't look like the kind of traffic generated by a search engine or other innocuous source.

> Googling about “GET requests to /.git/HEAD” doesn’t give much aside from this article about not exposing your .git folder.

It's probably not that they what to know what `/.git/HEAD`, it's just a probe to determine whether your git folder is exposed. No doubt phase 2 would kick in if it was (e.g. grabbing your credentials if they are saved in there)

> Which made me wonder whether these are coming from bad actors? If so, how did they “discover” my domain so quickly?

You mentioned in chat that you are using public DNS — I imagine that's how they harvested your addresses. My guess is that attackers have learned that recently deployed services are more likely to have vulnerabilities of a certain class (not outdated software, but deployment errors exposing sensitive files, for example). That's probably why they rush to discover new services so quickly.
comments
transcript

Enter question or answer id or url (and optionally further answer ids/urls from the same question) from

Separate each id/url with a space. No need to list your own answers; they will be imported automatically.