📋 Brief Description of the Problem
A specialist in information security is required to identify the source of the API key leak from the production server. For a month, there has been a systematic theft of credentials from the .env file, followed by their use for spam mailings.
Budget: By agreement (discussed after assessing the scope of work)
Deadline: 3-7 days for diagnostics + 3-5 days of monitoring after completion
🔴 Problem Description
Incident Timeline:
| Date | Incident | Consequences |
|---|
| ~4 weeks ago | First spam mailing via AWS SES | ~50,000 emails |
| ~2 weeks ago | Second spam mailing | ~30,000 emails |
| ~1 week ago | Third spam mailing | ~52,000 emails, AWS account blocked |
| Today | Attempt to use a new Brevo key | Blocked by IP filter |
What Has Already Been Done:
- ✅ Full audit of the application code (no backdoors found)
- ✅ Antivirus check of the developer's computer (clean)
- ✅ Removal of all browser extensions
- ✅ Complete migration to a new server (clean installation)
- ✅ Change of all API keys
- ✅ Backup encryption (AES, stored on Google Drive)
- ✅ Removal of credentials from Git history
- ✅ Involvement of two freelancers (problem not resolved)
Current Situation:
After migrating to a new server and connecting Brevo with IP-whitelist, spam mailings have stopped, BUT the provider recorded an attempt to use a new API key from an unknown IP. This means that the leak of credentials continues.
🎯 Task
Find the source of the API key leak from the .env file.
Possible attack vectors (hypotheses):
- Vulnerability in the application code — ability to read files via the web
- Compromise of the developer's workstation — keylogger, clipboard hijacker, screen capture
- Compromise of SSH/FTP access — stolen keys, brute-force
- Vulnerability in server software — NGINX, PHP-FPM, PostgreSQL
- Man-in-the-Middle — interception during deployment/editing
- Leak through CI/CD or Git — accidental inclusion in history
- Compromise of the hosting provider — unlikely, but possible
- Insider threat — access of third parties to the server/code
📦 Project Technical Stack
| Component | Technology |
|---|
| Backend | PHP 8.4 (custom MVC framework) |
| Database | PostgreSQL 17 |
| Cache | Redis |
| Web Server | NGINX + PHP-FPM |
| OS | Ubuntu 24.04 LTS |
| Email | Brevo (formerly AWS SES) |
| AI | OpenAI, Claude, Gemini API |
| Payments | Stripe |
📝 What is Required from the Contractor
Stage 1: Server Audit (remotely)
- [ ] Analysis of authorization logs (
/var/log/auth.log, lastlog, wtmp) - [ ] Check for rootkits (
rkhunter, chkrootkit, lynis) - [ ] Audit cron jobs of all users
- [ ] Check systemd services for suspicious ones
- [ ] Analyze open ports and network connections
- [ ] Check SUID/SGID files
- [ ] Analyze
.bashrc, .profile for injections - [ ] Check SSH configuration and authorized_keys
- [ ] Audit access rights to the
.env file - [ ] Check PHP-FPM pool configuration
- [ ] Analyze NGINX configuration for vulnerabilities
Stage 2: Application Code Audit
- [ ] Search for LFI/RFI (Local/Remote File Inclusion) vulnerabilities
- [ ] Check for Path Traversal vulnerabilities
- [ ] Analyze file upload points
- [ ] Check user input handling
- [ ] Search for hardcoded credentials
- [ ] Analyze logging (are keys logged)
- [ ] Check for information leaks (phpinfo, debug mode)
Stage 3: Developer Workstation Audit
- [ ] Deep malware scan (not just antivirus)
- [ ] Check startup and task scheduler
- [ ] Analyze installed programs
- [ ] Check IDE extensions (VSCode/PHPStorm)
- [ ] Analyze clipboard history
- [ ] Check network traffic for suspicious connections
Stage 4: Monitoring and Traps
- [ ] Set up monitoring access to the
.env file (auditd, inotify) - [ ] Create a honeypot key to track the leak
- [ ] Set up alerts for suspicious activity
⚠️ Important Working Conditions
Access to the Server:
SSH access is provided ONLY through remote desktop (TeamViewer or AnyDesk).
Direct SSH access is not provided for security reasons.
Communication:
A mandatory phone/video call before starting work for:
- Verifying the contractor
- Discussing the work plan
- Agreeing on the process
Payment Terms:
Payment is made 3-5 days after the completion of work, provided there are no new leak incidents.
This is due to previous contractors claiming to have resolved the issue, but leaks continued.
📊 Expected Results
- Audit report with a detailed description of the checked components
- Identified source of the leak (if found) with evidence
- Recommendations for eliminating the vulnerability
- Plan to prevent similar incidents in the future
- Configured monitoring system for access to sensitive files
👤 Requirements for the Contractor
- Experience in information security for at least 3 years
- Experience in penetration testing and security audits
- Knowledge of Linux at the administrator level
- Understanding of web vulnerabilities (OWASP Top 10)
- Experience with PHP applications
- Forensics skills (digital forensics) — preferred
- Knowledge of the Russian language (for communication)
Advantages will be:
- Experience investigating similar incidents
- Certifications (CEH, OSCP, etc.)
- Portfolio/cases on security audits
📞 How to Respond
In your response, please indicate:
- Your experience with similar tasks (specific cases)
- What tools you plan to use
- Your initial hypothesis about the source of the leak
- Estimated timelines and costs
The project is active, in production, serving real clients. Maximum care is required during the audit.