We deliver deliberation.
Feed Log out (ross)
← Back to feed

[CRITICAL] Caddy exploit attempts detected, 2026-05-24 18:00–21:47 MDT (mid-window alert)

critical caddy_audience window: 2026-05-24 18:00 MDT – 21:47 MDT posted: 2026-05-24 21:47 MDT http audience ops caddy critical exploit
What happened
The traffic window totaled 13,219 external requests from 1,239 unique IPs, comprised of 3,660 bot/crawler sessions and 5 human sessions. The bulk of the volume was driven by automated activity, with the top sources being the OpenAI (GPTBot) IP (1302 requests) and the Anthropic (ClaudeBot) IP (1214 requests). Eight specific exploit attempts were detected targeting the `/wp-admin/install.php?step=1` endpoint, originating from multiple external and private IP addresses, including 162.158.182.93 and several 172.x.x.x addresses. These eight vulnerability probes represent the primary security concern, requiring immediate investigation, regardless of the overall bot traffic volume.
Narrative
Caddy audience digest for arc-codex.com, 2026-05-24 18:00 – 21:47 MDT. TRAFFIC OVERVIEW Total external requests: 13219 from 1239 unique IPs over 4 hours. Operator activity: 968 requests from 1 operator IP(s) (38.175.170.87). Datacenter origin: 0.2% of external requests. AUDIENCE ESTIMATE Likely-human sessions: 5 (heuristic: real browser UA, non-datacenter IP, has referrer or direct content visit). Engaged sessions: 5 (loaded ≥1 article page, session duration ≥30s). Bot/crawler sessions: 3660. TOP REFERRERS m.facebook.com (4), facebook.com (2), l.facebook.com (1). TOP IPs BY VOLUME 74.7.241.22 (1302 req); 216.73.216.51 (1214 req); 216.244.66.198 (433 req). STATUS BREAKDOWN HTTP 200: 13128, HTTP 206: 1, HTTP 308: 81, HTTP 404: 9. EXPLOIT ATTEMPTS DETECTED (8 requests) Patterns: 162.158.182.93 → /wp-admin/install.php?step=1; 162.158.182.93 → /wp-admin/install.php?step=1; 172.68.10.86 → /wp-admin/install.php?step=1; 172.68.10.87 → /wp-admin/install.php?step=1; 172.71.184.240 → /wp-admin/install.php?step=1
Blue Team — Operational Summary
The traffic period spanned 4 hours, totaling 13,219 external requests across 1,239 unique IP addresses targeting arc-codex.com. The vast majority of traffic consisted of automated bot/crawler sessions, accounting for 3,660 sessions. A small segment of the traffic was identified as likely human sessions (5) and engaged sessions (5). HTTP status codes indicate high success rates for successful requests (13,128 HTTP 200 responses). A specific subset of 8 requests were identified attempting access to `/wp-admin/install.php?step=1`, originating from multiple specific IP addresses. Operator activity accounted for 968 requests originating from a single IP.
Red Team — Facts Only
* Total external requests: 13,219 from 1,239 unique IPs over 4 hours. * Operator activity: 968 requests from IP 38.175.170.87. * Traffic breakdown: HTTP 200 (13,128), HTTP 206 (1), HTTP 308 (81), HTTP 404 (9). * Audience estimate: 5 likely-human sessions; 5 engaged sessions; 3,660 bot/crawler sessions. * Identified exploit attempts: 8 requests targeting `/wp-admin/install.php?step=1`. * Exploit IPs: 162.158.182.93; 172.68.10.86; 172.68.10.87; 172.71.184.240. * Top IPs by volume: 74.7.241.22 (1302 req); 216.73.216.51 (1214 req); 216.244.66.198 (433 req).
Purple Team — Pattern Analysis
The traffic profile is heavily skewed toward automated activity (3,660 bot sessions vs. 10 human sessions), which is typical for content sites with high indexing potential. The overall volume and composition do not present immediate anomalous behavior outside of the targeted exploit attempts. The eight detected exploit attempts, specifically targeting WordPress installation scripts, originate from a mix of external and private IP ranges (e.g., 162.158.182.93 and various 172.x.x.x addresses). While these attempts represent targeted scanning or vulnerability probing, the specific IPs involved require immediate investigation to determine if they are known threat actors or internal/misconfigured hosts. The observed IP volume and traffic distribution, particularly the top request sources, align with typical large-scale scraping or botnet distribution rather than a sustained attack campaign. The operational signal is the specific vulnerability probes, not the bulk traffic volume. The next required action is verifying the security posture associated with the source IPs that attempted the installation script access.
Counter-Analyst
This report shows 13219 external requests, yet 3660 of those are categorized as bot/crawler sessions, significantly skewing the traffic view. Given the 8 explicit exploit attempts targeting `/wp-admin/install.php` from various IPs, should we be prioritizing the investigation of these specific attempts rather than the overall traffic volume? How does the bulk bot activity factor into the risk assessment of those specific vulnerability scans?
Structured Data
Total requests13219
Unique IPs1239
Likely human sessions5
Engaged sessions5
Bot/crawler sessions3660
Datacenter %0.2
Top referrersm.facebook.com (4), facebook.com (2), l.facebook.com (1)
Top IPs74.7.241.22 (1302); 216.73.216.51 (1214); 216.244.66.198 (433)
Status breakdownHTTP 200: 13128, HTTP 206: 1, HTTP 308: 81, HTTP 404: 9
Exploit attempts162.158.182.93 → /wp-admin/install.php?step=1; 162.158.182.93 → /wp-admin/install.php?step=1; 172.68.10.86 → /wp-admin/install.php?step=1; 172.68.10.87 → /wp-admin/install.php?step=1; 172.71.184.240 → /wp-admin/install.php?step=1