We deliver deliberation.
Feed Log out (ross)
← Back to feed

[CRITICAL] Caddy exploit attempts detected, 2026-05-25 06:00–07:21 MDT (mid-window alert)

critical caddy_audience window: 2026-05-25 06:00 MDT – 07:21 MDT posted: 2026-05-25 07:21 MDT http audience ops caddy critical exploit
What happened
The traffic window included 6119 external requests from 690 unique IP addresses, overwhelmingly composed of automated bot and crawler sessions (986 sessions). The traffic was not dominated by internal origins, with only 0.1% originating from the datacenter. The activity involved targeted vulnerability scanning, evidenced by 10 exploit attempts against paths associated with WordPress and Git configuration files, including requests to /xmlrpc.php and /wp-admin/install.php. Top sources included OpenAI (411 requests), Anthropic (246 requests), and Perplexity (74 requests). A single human session was identified, with zero engagement with content.
Narrative
Caddy audience digest for arc-codex.com, 2026-05-25 06:00 – 07:21 MDT. TRAFFIC OVERVIEW Total external requests: 6119 from 690 unique IPs over 4 hours. Operator activity: 109 requests from 1 operator IP(s) (38.175.170.87). Datacenter origin: 0.1% of external requests. AUDIENCE ESTIMATE Likely-human sessions: 1 (heuristic: real browser UA, non-datacenter IP, has referrer or direct content visit). Engaged sessions: 0 (loaded ≥1 article page, session duration ≥30s). Bot/crawler sessions: 986. TOP REFERRERS m.facebook.com (4), facebook.com (1). TOP IPs BY VOLUME 74.7.241.22 (411 req); 216.73.216.51 (246 req); 57.141.16.34 (145 req). STATUS BREAKDOWN HTTP 200: 6029, HTTP 206: 1, HTTP 308: 43, HTTP 404: 38, HTTP 502: 8. EXPLOIT ATTEMPTS DETECTED (10 requests) Patterns: 35.239.90.70 → /xmlrpc.php?rsd; 104.23.221.162 → /wp-admin/install.php?step=1; 104.23.221.162 → /wp-admin/install.php?step=1; 5.255.104.83 → /.git/config; 5.255.104.83 → /.env.bak
Blue Team — Operational Summary
The system handled 6119 external requests over a four-hour window, sourced from 690 unique IP addresses. The traffic composition is overwhelmingly bot-driven, with 986 sessions identified as bot or crawler activity, and zero engaged sessions. The vast majority of successful requests returned an HTTP 200 status (6029 instances). The traffic is not dominated by internal datacenter origins, with only 0.1% of requests originating from the data center. A single human session was identified, likely originating from a Facebook reference, and operator activity accounted for 109 requests from one source. The primary operational observation is the presence of targeted exploit attempts against known vulnerabilities, including paths commonly associated with WordPress installations and Git configuration files. While the volume is high, the specific security events point to probing behavior rather than large-scale malicious exploitation. The presence of non-datacenter IPs and top IPs suggests external scanning or crawling activity rather than typical service load.
Red Team — Facts Only
* Time window: 2026-05-25 06:00 – 07:21 MDT. * Total external requests: 6119 from 690 unique IPs. * Operator activity: 109 requests from IP 38.175.170.87. * HTTP Status Codes: HTTP 200 (6029), HTTP 206 (1), HTTP 308 (43), HTTP 404 (38), HTTP 502 (8). * Session Classification: 986 sessions classified as bot/crawler. * Identified Exploit Attempts: 10 requests detected. * 35.239.90.70 requested /xmlrpc.php?rsd. * 104.23.221.162 requested /wp-admin/install.php?step=1 (2 instances). * 5.255.104.83 requested /.git/config. * 5.255.104.83 requested /.env.bak. * Top IPs by volume: 74.7.241.22 (411 req); 216.73.216.51 (246 req); 57.141.16.34 (145 req). * Top Referrers: m.facebook.com (4), facebook.com (1).
Purple Team — Pattern Analysis
The traffic profile is characteristic of high-volume, automated scraping and vulnerability scanning, not typical user engagement. The overwhelming volume of bot sessions (986) and the high ratio of non-datacenter IPs (690 unique) strongly indicates broad-scale probing. The specific exploit attempts detected (targeting /xmlrpc.php, /wp-admin/install.php, /.git/config, /.env.bak) are signatures associated with common web application exploitation (specifically WordPress and remote code execution vectors). This is a strong signal of targeted enumeration and vulnerability testing rather than random crawling. While the overall traffic is high, the observed signal is the focused, low-volume nature of the exploit attempts. The pattern suggests an adversary is systematically testing for common, known-vulnerable paths rather than engaging in general content crawling. The public-facing IPs involved in the attack, such as 104.23.221.162, should be tracked for further review to determine if they represent persistent probing sources. The high volume of successful 200 responses indicates the targets were reachable, but the specific attack patterns warrant separate triage from general traffic metrics.
Counter-Analyst
This report notes 986 bot/crawler sessions alongside 10 specific exploit attempts, which warrants re-evaluation of the incident focus. Given that 6029 requests returned HTTP 200, is the priority identifying the low-volume malicious attempts, or the high-volume bot traffic that utilizes successful HTTP responses? We need to confirm if the bot activity is a distraction or if those 10 exploit attempts are part of a larger, currently undetected enumeration phase.
Structured Data
Total requests6119
Unique IPs690
Likely human sessions1
Engaged sessions0
Bot/crawler sessions986
Datacenter %0.1
Top referrersm.facebook.com (4), facebook.com (1)
Top IPs74.7.241.22 (411); 216.73.216.51 (246); 57.141.16.34 (145)
Status breakdownHTTP 200: 6029, HTTP 206: 1, HTTP 308: 43, HTTP 404: 38, HTTP 502: 8
Exploit attempts35.239.90.70 → /xmlrpc.php?rsd; 104.23.221.162 → /wp-admin/install.php?step=1; 104.23.221.162 → /wp-admin/install.php?step=1; 5.255.104.83 → /.git/config; 5.255.104.83 → /.env.bak