We deliver deliberation.
Feed Log out (ross)
← Back to feed

[CRITICAL] Caddy exploit attempts detected, 2026-05-25 10:00–12:35 MDT (mid-window alert)

critical caddy_audience window: 2026-05-25 10:00 MDT – 12:35 MDT posted: 2026-05-25 12:35 MDT http audience ops caddy critical exploit
What happened
OpenAI and Anthropic bots dominated traffic with 565 and 502 requests, respectively, while 1,174 bot/crawler sessions accounted for most activity. A scanner probed for WordPress vulnerabilities nine times via `/wp-admin/install.php` from five distinct IPs, including 104.23.223.75 and 172.64.192.148. Only one human session engaged with content, while 563 unique IPs generated 6,347 total requests. HTTP 200 responses covered 96.5% of traffic, with negligible errors (105 404s, 2 500s) and no datacenter activity. The window reflected routine bot-heavy traffic with minor exploit attempts and minimal human interaction.
Narrative
Caddy audience digest for arc-codex.com, 2026-05-25 10:00 – 12:35 MDT. TRAFFIC OVERVIEW Total external requests: 6347 from 563 unique IPs over 4 hours. Operator activity: 3 requests from 1 operator IP(s) (38.175.170.87). Datacenter origin: 0.1% of external requests. AUDIENCE ESTIMATE Likely-human sessions: 1 (heuristic: real browser UA, non-datacenter IP, has referrer or direct content visit). Engaged sessions: 1 (loaded ≥1 article page, session duration ≥30s). Bot/crawler sessions: 1174. TOP REFERRERS m.facebook.com (3), facebook.com (1), go.bsky.app (1). TOP IPs BY VOLUME 74.7.241.22 (565 req); 216.73.216.51 (502 req); 216.244.66.198 (172 req). STATUS BREAKDOWN HTTP 0: 38, HTTP 200: 6125, HTTP 304: 9, HTTP 308: 68, HTTP 404: 105, HTTP 500: 2. EXPLOIT ATTEMPTS DETECTED (9 requests) Patterns: 104.23.223.75 → /wp-admin/install.php?step=1; 104.23.223.74 → /wp-admin/install.php?step=1; 172.64.192.148 → /wp-admin/install.php?step=1; 172.64.192.148 → /wp-admin/install.php?step=1; 172.70.251.49 → /wp-admin/install.php?step=1
Blue Team — Operational Summary
Your site received 6,347 external requests over a 4-hour window, with 563 unique IPs. Traffic was dominated by bot/crawler activity (1,174 sessions), while likely-human engagement was minimal (1 session). Operator activity was negligible (3 requests). The top referrers were Meta platforms and Bluesky, suggesting minor social media traffic. Exploit attempts (9 requests) targeted WordPress installation paths, but no successful breaches were indicated. HTTP 200 responses accounted for 96.5% of traffic, with a small fraction of errors (404s, 500s). Datacenter traffic was negligible (0.1%). This aligns with typical low-engagement, high-bot traffic for a static or lightly used site.
Red Team — Facts Only
Time window: 2026-05-25 10:00–12:35 MDT. Total external requests: 6,347 from 563 unique IPs. Operator activity: 3 requests from IP 38.175.170.87. Datacenter traffic: 0.1% of requests. Likely-human sessions: 1 (browser UA, non-datacenter IP, referrer/direct visit). Engaged sessions: 1 (≥1 article page, ≥30s duration). Bot/crawler sessions: 1,174. Top referrers: m.facebook.com (3), facebook.com (1), go.bsky.app (1). Top IPs by volume: 74.7.241.22 (565), 216.73.216.51 (502), 216.244.66.198 (172). HTTP status codes: 0 (38), 200 (6,125), 304 (9), 308 (68), 404 (105), 500 (2). Exploit attempts: 9 requests targeting `/wp-admin/install.php?step=1` from IPs 104.23.223.75, 104.23.223.74, 172.64.192.148, 172.70.251.49.
Purple Team — Pattern Analysis
This traffic pattern is consistent with a low-engagement site: high bot volume, minimal human interaction, and negligible datacenter presence. The exploit attempts are routine WordPress probing, likely automated, with no evidence of success. The top IPs by volume (74.7.241.22, 216.73.216.51) may be crawlers or misconfigured clients; their high request counts without errors suggest benign activity. The 500 errors (2 instances) are negligible but worth monitoring if they recur. No adversarial fingerprint stands out—this is background internet noise. Bandwidth and compute load appear normal, with caching likely handling the bulk of requests (HTTP 304/308 responses). For the next window, track recurrence of the exploit-attempt IPs and monitor the 500 errors. If human engagement remains near zero, consider whether bot traffic warrants mitigation.
Counter-Analyst
This report leans heavily on the "likely-human sessions: 1" heuristic, but with 6347 requests from 563 IPs and only 105 404s, the traffic pattern suggests a botnet probing for vulnerabilities—not organic engagement. Why assume a single human session when the exploit attempts (all targeting `/wp-admin/install.php`) account for 9 requests from 5 distinct IPs, indicating coordinated scanning rather than accidental misconfigurations? Could this be a low-and-slow attack masked as "bot/crawler" noise?
Structured Data
Total requests6347
Unique IPs563
Likely human sessions1
Engaged sessions1
Bot/crawler sessions1174
Datacenter %0.1
Top referrersm.facebook.com (3), facebook.com (1), go.bsky.app (1)
Top IPs74.7.241.22 (565); 216.73.216.51 (502); 216.244.66.198 (172)
Status breakdownHTTP 0: 38, HTTP 200: 6125, HTTP 304: 9, HTTP 308: 68, HTTP 404: 105, HTTP 500: 2
Exploit attempts104.23.223.75 → /wp-admin/install.php?step=1; 104.23.223.74 → /wp-admin/install.php?step=1; 172.64.192.148 → /wp-admin/install.php?step=1; 172.64.192.148 → /wp-admin/install.php?step=1; 172.70.251.49 → /wp-admin/install.php?step=1