We deliver deliberation.
Feed Log out (ross)
← Back to feed

[CRITICAL] Caddy exploit attempts detected, 2026-05-25 10:00–12:10 MDT (mid-window alert)

critical caddy_audience window: 2026-05-25 10:00 MDT – 12:10 MDT posted: 2026-05-25 12:10 MDT http audience ops caddy critical exploit
What happened
Over a 4-hour window, the site received 5,529 requests from 555 unique IPs, dominated by bot traffic: Anthropic (441 requests) and OpenAI (426 requests) accounted for the majority, while three unknown crawlers (216.244.66.198, 162.216.148.0, 107.77.198.109) contributed 367 additional requests. Only one human session engaged with content, while 1,084 bot sessions and negligible referral traffic (5 requests from social platforms) characterized the remainder. Exploit attempts were minimal—seven probes from five IPs targeting WordPress admin paths and a PHP server endpoint, with no successful breaches. The site returned 96% successful responses (5,322 200/304), 1.9% client errors (103 404s), and 0.04% server errors (2 500s), with no sustained attack patterns or datacenter-origin traffic (0.1%). Operator activity was limited to three requests from a single IP.
Narrative
Caddy audience digest for arc-codex.com, 2026-05-25 10:00 – 12:10 MDT. TRAFFIC OVERVIEW Total external requests: 5529 from 555 unique IPs over 4 hours. Operator activity: 3 requests from 1 operator IP(s) (38.175.170.87). Datacenter origin: 0.1% of external requests. AUDIENCE ESTIMATE Likely-human sessions: 1 (heuristic: real browser UA, non-datacenter IP, has referrer or direct content visit). Engaged sessions: 1 (loaded ≥1 article page, session duration ≥30s). Bot/crawler sessions: 1084. TOP REFERRERS m.facebook.com (3), facebook.com (1), go.bsky.app (1). TOP IPs BY VOLUME 216.73.216.51 (441 req); 74.7.241.22 (426 req); 216.244.66.198 (146 req). STATUS BREAKDOWN HTTP 0: 38, HTTP 200: 5313, HTTP 304: 9, HTTP 308: 64, HTTP 404: 103, HTTP 500: 2. EXPLOIT ATTEMPTS DETECTED (7 requests) Patterns: 104.23.223.75 → /wp-admin/install.php?step=1; 104.23.223.74 → /wp-admin/install.php?step=1; 172.70.251.49 → /wp-admin/install.php?step=1; 172.70.251.50 → /wp-admin/install.php?step=1; 146.103.18.249 → /admin/server/php/
Blue Team — Operational Summary
Over a 4-hour window, your site received 5,529 external requests from 555 unique IPs, with 99.9% originating from non-datacenter sources. Traffic was dominated by bot/crawler activity (1,084 sessions), while likely-human engagement was minimal (1 session with ≥30s duration and article page loads). Referral traffic was negligible, with only 5 requests from social platforms (Facebook, Bluesky). Operator activity was limited to 3 requests from a single IP. The HTTP status breakdown was unremarkable: 96% successful responses (200/304), 1.9% client errors (404), and 0.04% server errors (500). Exploit attempts were detected (7 requests) targeting WordPress admin paths, but these were isolated and did not result in successful breaches. No sustained or coordinated attack patterns were observed.
Red Team — Facts Only
Time window: 2026-05-25 10:00–12:10 MDT. Total external requests: 5,529 from 555 unique IPs. Datacenter-origin traffic: 0.1% (6 requests). Likely-human sessions: 1 (real browser UA, non-datacenter IP, referrer/direct visit). Engaged sessions: 1 (≥1 article page, ≥30s duration). Bot/crawler sessions: 1,084. Top referrers: m.facebook.com (3), facebook.com (1), go.bsky.app (1). Top IPs by volume: 216.73.216.51 (441), 74.7.241.22 (426), 216.244.66.198 (146). HTTP status codes: 0 (38), 200 (5,313), 304 (9), 308 (64), 404 (103), 500 (2). Exploit attempts: 7 requests from 5 IPs targeting /wp-admin/install.php (4) and /admin/server/php/ (1). Operator activity: 3 requests from 38.175.170.87.
Purple Team — Pattern Analysis
This traffic pattern aligns with typical low-engagement internet background radiation: high bot volume, minimal human interaction, and negligible referral traffic. The 1 engaged human session is statistically insignificant but confirms the site is reachable. The 7 exploit attempts are opportunistic, not targeted—common WordPress probes from disparate IPs with no follow-up. No pattern suggests staging or reconnaissance; these are likely automated scans. Resource-wise, the 500 errors (0.04%) and 404s (1.9%) are negligible. The high 200/304 ratio suggests effective caching, though the top IPs (216.73.216.51, 74.7.241.22) warrant monitoring if they recur—they may be aggressive crawlers or misconfigured clients. For the next window, track: 1. Recurrence of the top 3 IPs by volume to assess if they’re benign crawlers or noise. 2. Any increase in exploit attempts targeting non-WordPress paths, which could indicate adversarial adaptation.
Counter-Analyst
This report leans heavily on the "likely-human sessions: 1" heuristic, but with 555 unique IPs generating 5,529 requests—including 1,084 bot sessions—why are we confident that only a single human engaged meaningfully? The 30-second threshold for "engaged" seems arbitrary when 103 404s and 7 exploit attempts suggest active probing; could this be a misclassification of low-and-slow human reconnaissance as bot traffic? What’s the actual distribution of session durations beyond that single heuristic?
Structured Data
Total requests5529
Unique IPs555
Likely human sessions1
Engaged sessions1
Bot/crawler sessions1084
Datacenter %0.1
Top referrersm.facebook.com (3), facebook.com (1), go.bsky.app (1)
Top IPs216.73.216.51 (441); 74.7.241.22 (426); 216.244.66.198 (146)
Status breakdownHTTP 0: 38, HTTP 200: 5313, HTTP 304: 9, HTTP 308: 64, HTTP 404: 103, HTTP 500: 2
Exploit attempts104.23.223.75 → /wp-admin/install.php?step=1; 104.23.223.74 → /wp-admin/install.php?step=1; 172.70.251.49 → /wp-admin/install.php?step=1; 172.70.251.50 → /wp-admin/install.php?step=1; 146.103.18.249 → /admin/server/php/