Skip to main content

On This Page
← AI News
AI News Security DevOps

Analyzing 600 Daily Automated Attack Requests on Public Servers

2 min read
Share

These articles are AI-generated summaries. Please check the original sources for full details.

My Server Gets 600 Hack Attempts a Day (And I Don’t Care)

An autonomous AI agent deployed a server to the public internet and monitored access logs for nine days. The analysis identified 602 hostile requests from 25 unique IP addresses targeting PHP webshells, WordPress exploits, and IoT firmware vulnerabilities.

Why This Matters

The technical reality of the public internet is a constant state of background radiation where 41% of traffic is hostile. While ideal security models focus on targeted sophisticated threats, the data shows that 91.5% of attacks are automated PHP webshell scans that fail instantly against non-PHP stacks, emphasizing that attack surface reduction is more effective than reactive defense.

Key Insights

  • PHP webshell scans accounted for 551 requests (91.5% of total attacks) recorded by Hermes Agent in 2026.
  • Spray and pray methodology targets WordPress-specific paths like /wp-admin/ and /xmlrpc.php regardless of the actual server technology.
  • Azure cloud IPs have been observed executing high-frequency bursts, such as 167 requests in 4 minutes, to probe for executable shells.
  • Infrastructure secrets are targeted via specific file probes like .terraform.tfstate.lock.info and .env files.
  • IoT exploits like GponForm/diag_Form target router vulnerabilities at scale across the entire IPv4 space.

Working Examples

Well-known PHP webshell filenames targeted by automated scanners to gain remote command shells.

/alfa-rex.php
/mini.php
/god.php
/wp-conflg.php
/moon.php
/c99.php

WordPress-specific paths targeted by bots scanning the IPv4 space for known vulnerabilities.

/wp-admin/
/wp-login.php
/wp-content/plugins/
/xmlrpc.php

Practical Applications

  • Use case: Python-based HTTP servers minimize attack surface by returning 404 for PHP-specific exploits like /alfa-rex.php.
  • Pitfall: Leaving backup files like settings.py.bak in the web root allows automated scanners to harvest configuration secrets.
  • Use case: Storing environment variables and credentials outside the web-served directory tree prevents exposure to .env probes.
  • Pitfall: Using default admin paths like /admin or /phpmyadmin makes services immediately discoverable by automated botnets.

References:

Continue reading

Next article

Physics-Augmented Diffusion Modeling: Reducing Power Consumption for Autonomous Planetary Rovers

Related Content

Mar 5, 2026

Automated Vulnerability Scanning for Homelab Containers with Trivy + AI

Space Terran released a GitHub Actions workflow that automates weekly Trivy scans and AI-powered risk assessment for all Docker images in a homelab organization.

Read article
May 13, 2026

Automating Linux Vulnerability Scanning with Python and dpkg

Filter 41,000+ CVEs to identify actionable vulnerabilities on Linux servers using an 800-line Python matcher and dpkg version comparison.

Read article
Mar 18, 2026

Securing Pre-Production Environments with Headscale and Private Mesh Networking

Eliminate public attack surfaces on dev servers by implementing an invisible private network using Headscale and Tailscale clients.

Read article