We deliver deliberation.
Feed Log out (ross)
← Back to feed

[CRITICAL] Caddy exploit attempts detected, 2026-05-25 06:00–08:26 MDT (mid-window alert)

critical caddy_audience window: 2026-05-25 06:00 MDT – 08:26 MDT posted: 2026-05-25 08:26 MDT http audience ops caddy critical exploit
What happened
"A high volume of automated crawling (1298 sessions) dominated this traffic window, primarily driven by scanning from known entities like OpenAI and Anthropic. However, 18 exploit attempts were detected, with a scanner probing for WordPress vulnerabilities using specific patterns on three IP addresses. Two human sessions occurred, with one engaged with content. The background traffic was primarily social media referrals."
Narrative
Caddy audience digest for arc-codex.com, 2026-05-25 06:00 – 08:26 MDT. TRAFFIC OVERVIEW Total external requests: 9058 from 738 unique IPs over 4 hours. Operator activity: 141 requests from 1 operator IP(s) (38.175.170.87). Datacenter origin: 0.1% of external requests. AUDIENCE ESTIMATE Likely-human sessions: 2 (heuristic: real browser UA, non-datacenter IP, has referrer or direct content visit). Engaged sessions: 1 (loaded ≥1 article page, session duration ≥30s). Bot/crawler sessions: 1298. TOP REFERRERS m.facebook.com (4), facebook.com (2). TOP IPs BY VOLUME 74.7.241.22 (783 req); 216.73.216.51 (505 req); 216.244.66.198 (229 req). STATUS BREAKDOWN HTTP 200: 8923, HTTP 206: 1, HTTP 308: 69, HTTP 404: 57, HTTP 502: 8. EXPLOIT ATTEMPTS DETECTED (18 requests) Patterns: 35.239.90.70 → /xmlrpc.php?rsd; 104.23.221.162 → /wp-admin/install.php?step=1; 104.23.221.162 → /wp-admin/install.php?step=1; 5.255.104.83 → /.git/config; 5.255.104.83 → /.env.bak
Blue Team — Operational Summary
Total external requests were 9058 over four hours, originating from 738 unique IP addresses. The traffic composition is heavily skewed toward automated activity, with 1298 identified as bot/crawler sessions, and only 2 likely-human sessions. HTTP status codes show a high volume of successful requests (8923 HTTP 200 responses), but also notable errors, including 57 HTTP 404s and 8 HTTP 502 errors. The traffic is predominantly driven by referrals from Facebook domains. Internal system activity is minimal, with only 141 requests originating from a single operator IP address.
Red Team — Facts Only
* Total external requests: 9058 from 738 unique IPs over 4 hours. * Operator activity: 141 requests from 1 operator IP (38.175.170.87). * Traffic breakdown: 1298 bot/crawler sessions, 2 likely-human sessions, 1 engaged session. * HTTP Status Codes: HTTP 200 (8923), HTTP 206 (1), HTTP 308 (69), HTTP 404 (57), HTTP 502 (8). * Exploit attempts detected: 18 requests matching specific patterns. * Exploit sources and paths: * 35.239.90.70 → /xmlrpc.php?rsd (1 instance) * 104.23.221.162 → /wp-admin/install.php?step=1 (2 instances) * 5.255.104.83 → /.git/config (1 instance) * 5.255.104.83 → /.env.bak (1 instance) * Top IPs by volume: 74.7.241.22 (783 req), 216.73.216.51 (505 req), 216.244.66.198 (229 req).
Purple Team — Pattern Analysis
The observed traffic profile is dominated by high-volume automated crawling (1298 sessions), suggesting generalized scanning or indexing rather than targeted malicious activity. However, 18 specific exploit patterns were detected, highly indicative of targeted attempts against common application vulnerabilities, specifically targeting WordPress installations and configuration files. The exploit attempts originate from three distinct IP addresses, including known server configuration files (`.git/config`, `.env.bak`) and API endpoints (`/xmlrpc.php?rsd`, `/wp-admin/install.php`). The primary signal is the simultaneous occurrence of high volume scanning and low-volume, specific penetration attempts. The traffic source is primarily social media referrals, which provides a plausible context for large bot volumes. The presence of specific, repeated exploit attempts warrants immediate investigation into the 18 offending source IPs, as they represent concrete attempts against the application layer structure, distinguishing them from general background noise.
Counter-Analyst
This report shows 18 exploit attempts detected, yet the overall traffic is dominated by 1298 bot sessions and only 2 likely-human sessions. Given the high volume of automated traffic, how do we differentiate between legitimate reconnaissance, resource exhaustion attempts, and actual exploitation within this request set?
Structured Data
Total requests9058
Unique IPs738
Likely human sessions2
Engaged sessions1
Bot/crawler sessions1298
Datacenter %0.1
Top referrersm.facebook.com (4), facebook.com (2)
Top IPs74.7.241.22 (783); 216.73.216.51 (505); 216.244.66.198 (229)
Status breakdownHTTP 200: 8923, HTTP 206: 1, HTTP 308: 69, HTTP 404: 57, HTTP 502: 8
Exploit attempts35.239.90.70 → /xmlrpc.php?rsd; 104.23.221.162 → /wp-admin/install.php?step=1; 104.23.221.162 → /wp-admin/install.php?step=1; 5.255.104.83 → /.git/config; 5.255.104.83 → /.env.bak