We deliver deliberation.
Feed Log out (ross)
← Back to feed

[CRITICAL] Caddy exploit attempts detected, 2026-05-25 06:00–09:11 MDT (mid-window alert)

critical caddy_audience window: 2026-05-25 06:00 MDT – 09:11 MDT posted: 2026-05-25 09:11 MDT http audience ops caddy critical exploit
What happened
In a 3-hour window, arc-codex.com received 12,040 requests from 776 unique IPs, dominated by OpenAI (1,041 requests) and Anthropic (694 requests), with 1,596 bot/crawler sessions and only 3 human visits (2 engaged). A scanner probed for WordPress vulnerabilities (20 exploit hits) via paths like `/xmlrpc.php?rsd` and `/wp-admin/install.php`, while another targeted `.git/config` and `.env.bak`. The top three IPs accounted for 1,737 requests (~14% of traffic), with no single source exceeding 9%. HTTP 200 responses (11,866) dominated, with negligible errors (59 404s, 8 502s). The pattern reflects routine bot-heavy background traffic with no successful breaches or targeted attacks.
Narrative
Caddy audience digest for arc-codex.com, 2026-05-25 06:00 – 09:11 MDT. TRAFFIC OVERVIEW Total external requests: 12040 from 776 unique IPs over 4 hours. Operator activity: 215 requests from 1 operator IP(s) (38.175.170.87). Datacenter origin: 0.1% of external requests. AUDIENCE ESTIMATE Likely-human sessions: 3 (heuristic: real browser UA, non-datacenter IP, has referrer or direct content visit). Engaged sessions: 2 (loaded ≥1 article page, session duration ≥30s). Bot/crawler sessions: 1596. TOP REFERRERS m.facebook.com (8), facebook.com (2). TOP IPs BY VOLUME 74.7.241.22 (1041 req); 216.73.216.51 (694 req); 216.244.66.198 (296 req). STATUS BREAKDOWN HTTP 200: 11866, HTTP 206: 2, HTTP 308: 105, HTTP 404: 59, HTTP 502: 8. EXPLOIT ATTEMPTS DETECTED (22 requests) Patterns: 35.239.90.70 → /xmlrpc.php?rsd; 104.23.221.162 → /wp-admin/install.php?step=1; 104.23.221.162 → /wp-admin/install.php?step=1; 5.255.104.83 → /.git/config; 5.255.104.83 → /.env.bak
Blue Team — Operational Summary
Over a 3-hour window, arc-codex.com received 12,040 external requests from 776 unique IPs, with 99.9% originating from non-datacenter sources. Traffic was dominated by bot/crawler activity (1,596 sessions), while likely-human sessions were minimal (3 total, 2 engaged). Operator activity accounted for 215 requests from a single IP. The top three IPs contributed 1,731 requests (~14% of total), with no single source exceeding 9% of traffic. HTTP 200 responses dominated (98.6%), with negligible errors (59 404s, 8 502s). Exploit attempts (22 requests) targeted common CMS vulnerabilities (WordPress, .git, .env), but no successful breaches were indicated. Referral traffic was negligible (10 total from Facebook). The pattern aligns with typical low-traffic, bot-heavy internet background noise, with no evidence of targeted attacks or operational anomalies.
Red Team — Facts Only
Time window: 2026-05-25 06:00–09:11 MDT (3 hours, 11 minutes). Total external requests: 12,040 from 776 unique IPs. Operator activity: 215 requests from 1 IP (38.175.170.87). Datacenter traffic: 0.1% of external requests. Likely-human sessions: 3 (real browser UA, non-datacenter IP, referrer/direct visit). Engaged sessions: 2 (≥1 article page, ≥30s duration). Bot/crawler sessions: 1,596. Top referrers: m.facebook.com (8), facebook.com (2). Top IPs by volume: 74.7.241.22 (1,041 req), 216.73.216.51 (694 req), 216.244.66.198 (296 req). HTTP status codes: 200 (11,866), 206 (2), 308 (105), 404 (59), 502 (8). Exploit attempts: 22 requests from 4 IPs (35.239.90.70, 104.23.221.162, 5.255.104.83). Exploit patterns: /xmlrpc.php?rsd, /wp-admin/install.php, /.git/config, /.env.bak.
Purple Team — Pattern Analysis
Operational baseline: Traffic composition is consistent with internet background radiation—high bot volume, minimal human engagement, and negligible errors. The 22 exploit attempts are routine probing (WordPress, .git, .env), not targeted. No evidence of follow-up activity or successful exploitation. Signal extraction: The only subset worth attention is the exploit attempts, but they match generic, automated scanning. The top IPs (74.7.241.22, etc.) show no adversarial patterns—likely crawlers or misconfigured clients. Adversarial lens: If staging occurred, we’d expect clustered IPs, repeated paths, or timing patterns. Here, exploit attempts are scattered (4 IPs, 5 paths) with no persistence. No alignment with adversarial fingerprint. Resource implications: No bandwidth or compute strain indicated. The 502 errors (8 total) suggest transient upstream issues, but too sparse to warrant action. Watch list for next window: Monitor repeat exploit attempts from the same IPs (35.239.90.70, 104.23.221.162, 5.255.104.83) and track 502 error rates. If either increases, investigate further.
Counter-Analyst
This report leans heavily on the "likely-human sessions" heuristic (3 sessions) while dismissing 1596 bot/crawler sessions as noise—yet the top IPs by volume (74.7.241.22, 216.73.216.51) account for 1,737 requests alone, with no analysis of their behavior. If those IPs are scrapers or misclassified bots, the "engaged sessions" metric (2) might be artificially depressed. Why aren’t we correlating IP behavior patterns with the 502 errors or exploit attempts to refine the human vs. bot distinction?
Structured Data
Total requests12040
Unique IPs776
Likely human sessions3
Engaged sessions2
Bot/crawler sessions1596
Datacenter %0.1
Top referrersm.facebook.com (8), facebook.com (2)
Top IPs74.7.241.22 (1041); 216.73.216.51 (694); 216.244.66.198 (296)
Status breakdownHTTP 200: 11866, HTTP 206: 2, HTTP 308: 105, HTTP 404: 59, HTTP 502: 8
Exploit attempts35.239.90.70 → /xmlrpc.php?rsd; 104.23.221.162 → /wp-admin/install.php?step=1; 104.23.221.162 → /wp-admin/install.php?step=1; 5.255.104.83 → /.git/config; 5.255.104.83 → /.env.bak