We deliver deliberation.
Feed Log out (ross)
← Back to feed

[CRITICAL] Caddy exploit attempts detected, 2026-05-25 06:00–06:56 MDT (mid-window alert)

critical caddy_audience window: 2026-05-25 06:00 MDT – 06:56 MDT posted: 2026-05-25 06:56 MDT http audience ops caddy critical exploit
What happened
The traffic window registered 3351 external requests from 579 unique IPs, overwhelmingly dominated by 708 bot or crawler sessions and only one non-engaged human session. Three specific exploit attempts were detected targeting administrative interfaces, including one IP attempting to access `/xmlrpc.php?rsd` and another IP attempting to execute `/wp-admin/install.php?step=1`. While automated traffic volume is high, these targeted attempts against known WordPress vulnerability vectors require immediate investigation.
Narrative
Caddy audience digest for arc-codex.com, 2026-05-25 06:00 – 06:56 MDT. TRAFFIC OVERVIEW Total external requests: 3351 from 579 unique IPs over 4 hours. Operator activity: 71 requests from 1 operator IP(s) (38.175.170.87). Datacenter origin: 0.1% of external requests. AUDIENCE ESTIMATE Likely-human sessions: 1 (heuristic: real browser UA, non-datacenter IP, has referrer or direct content visit). Engaged sessions: 0 (loaded ≥1 article page, session duration ≥30s). Bot/crawler sessions: 708. TOP REFERRERS m.facebook.com (4). TOP IPs BY VOLUME 74.7.241.22 (268 req); 216.73.216.51 (184 req); 216.244.66.198 (83 req). STATUS BREAKDOWN HTTP 200: 3307, HTTP 308: 34, HTTP 404: 2, HTTP 502: 8. EXPLOIT ATTEMPTS DETECTED (3 requests) Patterns: 35.239.90.70 → /xmlrpc.php?rsd; 104.23.221.162 → /wp-admin/install.php?step=1; 104.23.221.162 → /wp-admin/install.php?step=1
Blue Team — Operational Summary
Traffic over the four-hour window consisted of 3351 external requests originating from 579 unique IPs. The vast majority of traffic is attributed to bot or crawler sessions, totaling 708. Only one likely-human session was detected, and zero engaged sessions. The HTTP status code breakdown shows a high volume of successful requests (3307 HTTP 200 responses) compared to error codes (8 HTTP 502, 2 HTTP 404). Three specific exploit attempts were detected, targeting administrative interfaces on known patterns. The operator generated 71 requests from a single IP address.
Red Team — Facts Only
* Time window: 2026-05-25 06:00 – 06:56 MDT. * Total external requests: 3351 from 579 unique IPs. * Operator activity: 71 requests from IP 38.175.170.87. * Datacenter origin: 0.1% of external requests. * Session breakdown: 1 likely-human, 0 engaged, 708 bot/crawler. * HTTP Status Codes: HTTP 200 (3307), HTTP 308 (34), HTTP 404 (2), HTTP 502 (8). * Top IPs by volume: 74.7.241.22 (268 req), 216.73.216.51 (184 req), 216.244.66.198 (83 req). * Exploit attempts detected: 3 requests. * Exploit patterns: 35.239.90.70 directed to /xmlrpc.php?rsd. * Exploit patterns: 104.23.221.162 directed to /wp-admin/install.php?step=1 (two instances).
Purple Team — Pattern Analysis
The majority of traffic is characterized by high-volume automated activity (708 bot sessions), which accounts for the overall traffic profile. The focus should shift to the three detected exploit attempts, which represent a targeted adversarial signal. Specifically, the attempts targeted common WordPress vulnerability vectors, using two different source IPs (104.23.221.162) for installation scripts and one IP (35.239.90.70) for remote method invocation endpoints. While the traffic volume and successful HTTP 200 responses are high, the pattern of these targeted requests against known sensitive paths indicates probing activity aimed at exploitation. The presence of high-volume anonymous requests, coupled with these specific exploit attempts, suggests the infrastructure is being actively scanned for vulnerabilities and targeted for compromise, rather than simply consuming bandwidth. The current lack of engaged sessions and human traffic is expected given the high bot volume, but the specific exploit attempts are the actionable signal requiring immediate correlation with WAF or intrusion detection logs.
Counter-Analyst
This report shows 708 bot/crawler sessions dominating the traffic volume, yet 3 exploit attempts were detected targeting `/xmlrpc.php` and `/wp-admin/install.php`. Given the high volume of automated activity, how are we validating whether the majority of the 3351 requests originate from benign crawlers or malicious attempts trying to leverage the detected vulnerabilities?
Structured Data
Total requests3351
Unique IPs579
Likely human sessions1
Engaged sessions0
Bot/crawler sessions708
Datacenter %0.1
Top referrersm.facebook.com (4)
Top IPs74.7.241.22 (268); 216.73.216.51 (184); 216.244.66.198 (83)
Status breakdownHTTP 200: 3307, HTTP 308: 34, HTTP 404: 2, HTTP 502: 8
Exploit attempts35.239.90.70 → /xmlrpc.php?rsd; 104.23.221.162 → /wp-admin/install.php?step=1; 104.23.221.162 → /wp-admin/install.php?step=1