We deliver deliberation.
Feed Log out (ross)
← Back to feed

[CRITICAL] Caddy exploit attempts detected, 2026-05-24 22:00–01:13 MDT (mid-window alert)

critical caddy_audience window: 2026-05-24 22:00 MDT – 01:13 MDT posted: 2026-05-25 01:13 MDT http audience ops caddy critical exploit
What happened
The traffic window consisted of 11,742 external requests originating from 1,137 unique IPs, with zero human sessions and 2,854 identified as bot/crawler sessions. Automated activity dominated the traffic, including 1,105 requests from OpenAI and 519 requests from Anthropic. Six exploit attempts were detected targeting the WordPress installation file from IPs associated with known vulnerability patterns, including 104.23.221.163 and private address ranges. This activity confirms a high volume of automated scraping combined with targeted malicious scanning against the CMS installation layer.
Narrative
Caddy audience digest for arc-codex.com, 2026-05-24 22:00 – 01:13 MDT. TRAFFIC OVERVIEW Total external requests: 11742 from 1137 unique IPs over 4 hours. Operator activity: 374 requests from 1 operator IP(s) (38.175.170.87). Datacenter origin: 0.2% of external requests. AUDIENCE ESTIMATE Likely-human sessions: 0 (heuristic: real browser UA, non-datacenter IP, has referrer or direct content visit). Engaged sessions: 0 (loaded ≥1 article page, session duration ≥30s). Bot/crawler sessions: 2854. TOP REFERRERS facebook.com (2). TOP IPs BY VOLUME 74.7.241.22 (1105 req); 216.73.216.51 (519 req); 216.244.66.198 (420 req). STATUS BREAKDOWN HTTP 200: 11664, HTTP 206: 18, HTTP 308: 47, HTTP 404: 11, HTTP 502: 2. EXPLOIT ATTEMPTS DETECTED (6 requests) Patterns: 104.23.221.163 → /wp-admin/install.php?step=1; 104.23.221.163 → /wp-admin/install.php?step=1; 172.69.150.13 → /wp-admin/install.php?step=1; 172.69.150.12 → /wp-admin/install.php?step=1; 104.23.217.7 → /wp-admin/install.php?step=1
Blue Team — Operational Summary
Traffic over the four-hour window registered 11,742 external requests from 1,137 unique IP addresses. The session analysis indicates zero likely-human or engaged sessions, with 2,854 identified as bot/crawler sessions. The majority of traffic consists of automated activity, with no discernible organic visitor flow. HTTP status codes show a high volume of successful requests (11,664 HTTP 200s) and a small number of error/redirect codes (404s: 11, 502s: 2). Specific exploit attempts were detected, including six requests targeting the `/wp-admin/install.php?step=1` endpoint from multiple IPs. Operator activity accounted for 374 requests originating from a single IP.
Red Team — Facts Only
Total external requests: 11,742 from 1,137 unique IPs over 4 hours. Operator activity: 374 requests from 1 IP (38.175.170.87). Bot/crawler sessions: 2,854. HTTP Status Breakdown: HTTP 200: 11,664, HTTP 206: 18, HTTP 308: 47, HTTP 404: 11, HTTP 502: 2. Exploit Attempts Detected: 6 requests targeting /wp-admin/install.php?step=1 from 104.23.221.163, 172.69.150.13, 172.69.150.12, and 104.23.217.7. Top IPs by Volume: 74.7.241.22 (1105 req), 216.73.216.51 (519 req), 216.244.66.198 (420 req). Datacenter origin: 0.2% of external requests.
Purple Team — Pattern Analysis
The traffic volume and composition are consistent with high-volume automated scraping and bot activity, indicated by the 2,854 sessions and zero likely-human interactions. The presence of successful HTTP 200 responses confirms the site is functioning, while the numerous 404 errors and 502 errors suggest some level of server load or potential instability during the window. The critical signal is the six detected exploit attempts against the WordPress installation file. These attempts originate from IPs associated with known vulnerability testing patterns (e.g., 104.23.221.163) and internal/private address ranges (172.69.150.x). This pattern suggests external, automated reconnaissance or attempted exploitation targeting the CMS installation layer. While the overall volume is dominated by background noise, the focused, targeted nature of the attack attempts warrants continued observation of the specific attacking IP ranges for repeated activity.
Counter-Analyst
This report shows 2854 bot sessions, yet only 6 exploit attempts were detected; what is the actual rate of malicious scanning versus legitimate scraping based on the top IPs that account for 2044 requests? Given the known vulnerability patterns, should we be prioritizing the blocking of the 1105 requests from 74.7.241.22 over general rate limiting?
Structured Data
Total requests11742
Unique IPs1137
Likely human sessions0
Engaged sessions0
Bot/crawler sessions2854
Datacenter %0.2
Top referrersfacebook.com (2)
Top IPs74.7.241.22 (1105); 216.73.216.51 (519); 216.244.66.198 (420)
Status breakdownHTTP 200: 11664, HTTP 206: 18, HTTP 308: 47, HTTP 404: 11, HTTP 502: 2
Exploit attempts104.23.221.163 → /wp-admin/install.php?step=1; 104.23.221.163 → /wp-admin/install.php?step=1; 172.69.150.13 → /wp-admin/install.php?step=1; 172.69.150.12 → /wp-admin/install.php?step=1; 104.23.217.7 → /wp-admin/install.php?step=1