We deliver deliberation.
Feed Log out (ross)
← Back to feed

[CRITICAL] Caddy exploit attempts detected, 2026-05-25 02:00–04:38 MDT (mid-window alert)

critical caddy_audience window: 2026-05-25 02:00 MDT – 04:38 MDT posted: 2026-05-25 04:38 MDT http audience ops caddy critical exploit
What happened
The system received 9,534 external requests from 578 unique IP addresses, overwhelmingly composed of 1,006 bot or crawler sessions and zero engaged human sessions. Six distinct exploit attempts targeting the WordPress installation path were detected, originating from specific source IPs including 162.158.182.93, 104.23.221.17, and 104.23.221.16. The traffic pattern indicates active probing of infrastructure, resulting in 9,474 successful HTTP 200 responses and 7 HTTP 502 server errors. The activity was supported by high-volume traffic from known entities, including OpenAI and Anthropic.
Narrative
Caddy audience digest for arc-codex.com, 2026-05-25 02:00 – 04:38 MDT. TRAFFIC OVERVIEW Total external requests: 9534 from 578 unique IPs over 4 hours. Operator activity: 313 requests from 1 operator IP(s) (38.175.170.87). Datacenter origin: 0.1% of external requests. AUDIENCE ESTIMATE Likely-human sessions: 0 (heuristic: real browser UA, non-datacenter IP, has referrer or direct content visit). Engaged sessions: 0 (loaded ≥1 article page, session duration ≥30s). Bot/crawler sessions: 1006. TOP REFERRERS m.facebook.com (4). TOP IPs BY VOLUME 74.7.241.22 (873 req); 216.73.216.51 (529 req); 216.244.66.198 (255 req). STATUS BREAKDOWN HTTP 200: 9474, HTTP 206: 1, HTTP 304: 4, HTTP 308: 34, HTTP 404: 14, HTTP 502: 7. EXPLOIT ATTEMPTS DETECTED (6 requests) Patterns: 162.158.182.93 → /wp-admin/install.php?step=1; 162.158.182.93 → /wp-admin/install.php?step=1; 104.23.221.17 → /wp-admin/install.php?step=1; 104.23.221.16 → /wp-admin/install.php?step=1; 162.158.110.194 → /wp-admin/install.php?step=1
Blue Team — Operational Summary
The system received 9,534 external requests over the four-hour window (2026-05-25 02:00 – 04:38 MDT) directed at arc-codex.com, originating from 578 unique IP addresses. The vast majority of activity (1006 sessions) is attributed to bot or crawler traffic, with zero identified human sessions or engaged sessions. The traffic breakdown shows a high volume of successful HTTP 200 responses (9,474), along with a notable incidence of server errors (7 HTTP 502 errors) and several redirect/error codes (308, 404). A small subset of the traffic originated from known top IPs, including 74.7.241.22, 216.73.216.51, and 216.244.66.198. Six distinct exploit attempts targeting the WordPress installation path were detected, originating from IPs including 162.158.182.93, 104.23.221.17, and 104.23.221.16.
Red Team — Facts Only
* Total external requests: 9534 from 578 unique IPs. * Operator activity: 313 requests from IP 38.175.170.87. * Bot/crawler sessions: 1006. * Likely-human and engaged sessions: 0. * HTTP 200 responses: 9474. * HTTP 502 errors: 7. * Exploit attempts detected: 6 requests. * Exploit patterns targeted: /wp-admin/install.php?step=1. * Specific exploit source IPs: 162.158.182.93, 104.23.221.17, 104.23.221.16, and 162.158.110.194.
Purple Team — Pattern Analysis
The traffic composition is overwhelmingly non-human, driven primarily by crawler activity, which masks potential malicious probing. The presence of 6 specific exploit attempts targeting the WordPress installation script indicates an active adversary is testing the infrastructure. While the volume of benign bot traffic is high, the focused targeting of vulnerable endpoints by specific IPs is the signal. The top volume IP addresses are consistent with known proxy or hosting infrastructure, suggesting automated, distributed activity. The 502 server errors and 404 responses are consistent with stress or scanning attempts. The operational implication is that the infrastructure is being actively scanned and probed for known vulnerabilities, leveraging automated tools. The immediate action requires review of the firewall and WAF logs for activity correlated with the specific exploit source IPs to determine if the probe was successful or if the attempts triggered active blocks.
Counter-Analyst
This report highlights 1006 bot sessions and 6 exploit attempts, but the traffic breakdown shows 9474 successful HTTP 200 responses. Given that zero likely-human sessions were logged, we need to determine if the high volume of successful requests indicates a broader DDoS distraction or if the exploit attempts are the more critical indicator of compromise. How do we distinguish between successful automated traffic and legitimate (but malicious) web scraping?
Structured Data
Total requests9534
Unique IPs578
Likely human sessions0
Engaged sessions0
Bot/crawler sessions1006
Datacenter %0.1
Top referrersm.facebook.com (4)
Top IPs74.7.241.22 (873); 216.73.216.51 (529); 216.244.66.198 (255)
Status breakdownHTTP 200: 9474, HTTP 206: 1, HTTP 304: 4, HTTP 308: 34, HTTP 404: 14, HTTP 502: 7
Exploit attempts162.158.182.93 → /wp-admin/install.php?step=1; 162.158.182.93 → /wp-admin/install.php?step=1; 104.23.221.17 → /wp-admin/install.php?step=1; 104.23.221.16 → /wp-admin/install.php?step=1; 162.158.110.194 → /wp-admin/install.php?step=1