Scanning Landscape Report

• Total requests dropped sharply versus yesterday’s single-scanner surge, while unique source IPs increased substantially—consistent with a return to broad background scanning rather than one dominant scan run.
• Top activity centered on generic probing (/, favicon, robots) plus sensitive-file checks (/.env, /.git) and a small but notable cluster of API-style LLM endpoints (/v1/*, /openai/*, /v1beta/*).
• Several new low-volume families appeared (containers API, Spring Actuator, /proc checks, and appliance-style +cscoe/+cscol paths), suggesting multiple opportunistic scanners with different checklists.

Why it matters: Even when overall volume is lower, distributed probing increases the chance that any exposed secret/config file or management endpoint is found quickly; the appearance of LLM API-shaped paths also indicates growing “AI endpoint discovery” noise that can lead to credential abuse if real services are exposed without strong authentication and rate controls.

Changes since yesterday:

• Request volume fell from 20,000 to 2,465 and unique IPs rose from 44 to 395, indicating scanning became much less source-concentrated (confidence: high).
• Secrets/config probing via /.env remains present but is dramatically reduced compared to yesterday’s checklist sweep (confidence: high).
• Newly visible families include /v1* and /openai* LLM-style routes, /v1beta/* (Gemini-style), plus multiple management/infra probes (containers API, Actuator, /proc) at low volumes (confidence: medium).

Key observations:

• Today’s 24h window shows lower total volume but higher source diversity, aligning with mixed opportunistic scanners rather than a single dominant enumerator (24h: 2,465 requests; 395 unique IPs).
• URI mix includes (a) baseline web noise (/, /favicon.ico, /robots.txt), (b) sensitive artifact hunting (/.env, /.git/config), (c) login surface discovery (/core/skin/login.aspx, /owa/auth/logon.aspx), and (d) new API/LLM-shaped endpoints (/v1/chat/completions, /openai/v1/chat/completions, /v1beta/models/*:generatecontent).
• A small set of appliance/enterprise gateway style asset paths (+cscoe/+cscol) appeared, which are distinct from typical webapp file/backup checks and may reflect separate scanner tooling or fingerprinting lists.

Top URI families

Top sources

• Request volume spiked sharply (20,000 vs 1,899 yesterday) while the scanner attempted an unusually wide set of unique URIs (19,927), consistent with automated dictionary/checklist probing.
• Traffic was overwhelmingly dominated by a single source block (144.91.101.0/24 contributed 19,873 requests), suggesting one primary scanning node/infrastructure rather than broadly distributed background noise.
• Most probes focused on high-impact misconfiguration artifacts (dotenv/secrets, backup/config files under /api, /admin, /core, /backup) plus a smaller set of technology fingerprints (Spring Actuator, Citrix-like asset paths, and local file disclosure attempts).

Why it matters: This mix is typical of opportunistic compromise workflows: rapidly enumerate common sensitive files and backups that can directly leak credentials or configuration; even one accidental exposure can convert scanning into immediate exploitation. The extreme source concentration also makes this activity easier to block/shape at the edge, but raises the likelihood it is a single coherent scan run.

Changes since yesterday:

• Requests increased from 1,899 to 20,000 and unique URIs from 338 to 19,927, indicating a return to (and exceeding) the prior broad enumeration behavior rather than the quieter mix seen yesterday (confidence: high).
• A single /24 (144.91.101.0/24) newly dominates traffic (~99% of requests), replacing yesterday’s more distributed top sources (confidence: high).
• New low-volume probe families appeared (e.g., /proc/self/environ and /@fs/ traversal-style paths, /var/log and /nginx log paths, .idea metadata) consistent with generic “exposed file” and “local file read” checklists (confidence: medium).

Key observations:

• The dataset is truncated at 20,000 events for the last 24h and 40,000 for 7d; the true volume may be higher, but the observed distribution is already strongly dominated by one source block and several sensitive-file families.
• URI diversity is extremely high (19,927 unique URIs in 24h) while only 44 unique IPs were observed, aligning with a scripted scan cycling through many filenames/paths rather than organic browsing.
• Top families center on secrets/backups and admin-area artifacts: env/dotenv variants plus repeated backup/config extensions (e.g., .bak/.cfg/.conf) under /api, /admin, /core, and /backup.

Top URI families

Top sources

• Total requests dropped sharply vs yesterday (1,899 vs 15,567), and URI diversity also fell (338 vs 5,017), indicating the prior broad enumeration burst has subsided.
• The remaining activity is dominated by generic liveness/fingerprinting plus continued opportunistic probing for exposed secrets and source control (/.env, /.git).
• A small set of low-volume, technology-specific probes appeared (Exchange ECP export tool path, GPON form, /+cscoe+/ and /+cscol+/ paths), but counts are too small to indicate a focused campaign by themselves.

Why it matters: Even with lower volume, opportunistic checks for high-impact misconfigurations (dotenv files, Git metadata, debug endpoints) can quickly identify and exploit accidental exposure; the day’s main security value is confirming that the prior high-volume wave has ended while keeping alerting tight on any non-404/403 responses to sensitive paths.

Changes since yesterday:

• Requests decreased ~88% (15,567 -> 1,899) and unique URIs decreased ~93% (5,017 -> 338), consistent with the end of a broad checklist scan burst (confidence: high).
• Secrets/config probing fell materially (env family down ~63% vs yesterday), but remains a notable share of remaining traffic (confidence: high).
• New low-volume URI families appeared in today’s top set: /ecp/* (Exchange), /gponform/* (GPON/ONT admin pattern), /portal/redlion (industrial/OT portal naming), and /bin/* archives (confidence: medium).

Key observations:

• Telemetry shows a reversion from yesterday’s high-volume, high-diversity enumeration to a smaller, more typical mix of liveness checks (/, /favicon.ico, /robots.txt) plus opportunistic misconfiguration probing (/.env, /.git/config, phpinfo/test endpoints).
• Source concentration changed: yesterday’s dominant 7-day top source blocks (e.g., the large AWS-associated /24s in the 7d list) are not today’s top sources; today’s top /24s are different and each contributes <7% of total requests, which looks more like distributed background scanning than a single concentrated burst.
• Several technology-specific probes cluster around known patterns: Spring Boot Actuator (/actuator, /env), exposed Git metadata (/.git/*), legacy/enterprise login surfaces (/core/skin/login.aspx), and appliance-style paths (cgi-bin/*, /gponform/*), but volumes are small and mostly consistent with opportunistic scanning.

Top URI families

Top sources

• Request volume jumped sharply in the last 24h (15,567 vs 2,741 yesterday), driven mostly by generic liveness/fingerprinting traffic and broad enumeration.
• Several higher-signal misconfiguration families also increased, including secret/config file probing (e.g., /.env) and dev-tooling style local file path checks under /@fs/.
• Top traffic came from a small set of source /24s contributing a majority of requests, consistent with concentrated scanning infrastructure rather than organic browsing.

Why it matters: Even when much of the volume is generic “noise,” the concurrent rise in secret/config and dev-tooling file-path probes increases the chance that any accidental exposure (dotenv files, debug endpoints, dev servers) would be found quickly and abused.

Changes since yesterday:

• Total requests increased ~5.7x day-over-day (15,567 vs 2,741), with a large increase in generic “misc” URIs.
• /@fs/*?import= probing doubled again and is far above 7-day baseline, consistent with active dev-server/tooling exposure checks.
• New low-volume URI families appeared in the top set (phpMyAdmin, OAuth endpoints, Swagger/OpenAPI docs), indicating broader technology fingerprinting.

Key observations:

• Volume and URI diversity expanded substantially (5,017 unique URIs in 24h vs 730 yesterday), indicating wide checklist-style enumeration rather than a narrow single-path probe.
• The largest counted family is “misc” (13,350 requests; +1,754% vs yesterday), which typically reflects liveness and fingerprinting (/, /favicon.ico, /robots.txt) and can inflate totals without indicating successful exploitation.
• Multiple technology-targeted families increased simultaneously (env, wp, /@fs, .well-known, swagger/v2/v1, oauth, phpmyadmin), consistent with opportunistic scanners rotating broad fingerprints.

Top URI families

Top sources

• Overall request volume remained in the same range as yesterday (2741 vs 2565), consistent with ongoing opportunistic internet scanning.
• Two standouts in the last 24h were a sharp rise in WordPress-related probes and a new spike in “/@fs/*?import=” paths consistent with Vite/Node dev-server style local-file read checks.
• Several new low-volume but high-signal families appeared (e.g., Tomcat manager, AWS credentials file paths), indicating broader misconfiguration/credential-hunting checklists in rotation.

Why it matters: The dominant activity remains misconfiguration hunting (secrets, exposed repos, debug/admin panels). The increased WordPress and “/@fs” probing matters because both are commonly automated “quick win” checks that can lead to credential theft or file disclosure if anything is mispublished or misrouted to production.

Changes since yesterday:

• WordPress probing spiked sharply (+725% day-over-day), suggesting a scanner wave emphasizing WP file and plugin/config exposure paths.
• New and pronounced increase in “/@fs/*?import=” requests (up 100% vs yesterday; far above 7-day baseline), consistent with modern tooling/dev-server LFI-style probes.
• Top source blocks rotated; today’s leading /24 contributed ~11% of all requests, but no single source dominated traffic.

Key observations:

• Traffic volume is steady, but URI diversity increased materially vs yesterday (730 unique URIs vs 446), indicating broader enumeration lists rather than a narrow single-CVE focus.
• High-impact misconfiguration checks remain prominent: dotenv/secret file probing (/.env), VCS metadata (/.git/config), and common debug/test PHP endpoints (phpinfo.php, test.php, php.php).
• Two clusters stand out as “newer” relative to recent baseline: the “/@fs/…?import=” prefix spike and the WordPress family surge; both look like automated list-based probing rather than interactive exploitation, based on breadth and low per-URI counts.

Top URI families

Top sources

• Overall traffic volume stayed essentially flat vs yesterday (2565 vs 2613 requests), consistent with ongoing background internet scanning.
• The largest day-over-day change is a sharp increase in “env” probing (e.g., /.env and config files), while exposed-file probing as a whole decreased.
• Top sources rotated again, with a single /24 contributing ~12% of all requests, suggesting a mix of distributed noise plus one more active scanner block.

Why it matters: The dominant probes focus on high-impact misconfigurations—exposed secrets (.env), exposed repository metadata (.git), and web-accessible vendor tooling (phpunit paths)—which can enable rapid credential theft or remote code execution if any endpoint returns something other than an error.

Changes since yesterday:

• “env” family increased substantially (+150% vs yesterday) and is near its 7-day norm (slightly below baseline).
• “files” family decreased materially (-24.8% vs yesterday), indicating the prior exposed-file/phpunit-heavy mix cooled.
• Multiple small, newly observed path-prefix families appeared (/assets, /static, /css, /portal), indicating broader enumeration lists being exercised (low volume).

Key observations:

• Traffic composition remains dominated by generic discovery plus misconfiguration checks: “/” (537), /.git/config (86), /.env (72), and multiple phpunit eval-stdin path permutations (14–15 each).
• Day-over-day mix shifted: “env” rose sharply while “files” and “misc” declined, suggesting scanner campaigns rotated rather than overall volume changing.
• Some management/admin surface probing is present and increased vs yesterday in small families (e.g., /api*, /sdk*, cgi-bin), but volumes remain small relative to total requests.

Top URI families

Top sources

• Overall request volume stayed flat vs yesterday (2613 vs 2638), but scanning emphasis shifted toward exposed files (notably phpunit eval-stdin variants) and Git metadata checks.
• Several management/admin surface probes increased vs baseline (Spring Actuator, Docker API /containers/json, Tomcat manager), but remain small in absolute volume.
• Top traffic sources changed materially: yesterday’s single dominant source is no longer present in today’s top list, and activity appears spread across multiple /24s.

Why it matters: The dominant request families map to high-impact misconfigurations (exposed .git, exposed secrets like .env, and web-accessible vendor tooling such as phpunit) plus management surfaces (Actuator/Tomcat/Docker). These are commonly used as fast “yes/no” checks for follow-on compromise when misconfigurations exist.

Changes since yesterday:

• “files” family spiked sharply (+85.32% vs yesterday; +66.27% vs 7-day baseline), driven by repeated phpunit eval-stdin path variants.
• New low-volume families appeared (prefix:/manager, prefix:/druid, prefix:/epa, prefix:/bin), consistent with broadened endpoint enumeration rather than a single-technology focus.
• Top sources rotated: new /24s lead today (52.178.176.0/24, 172.161.148.0/24), and yesterday’s dominant source (195.178.110.0/24) is absent from today’s top list.

Key observations:

• URI mix is dominated by opportunistic exposure checks and enumeration: /.git/config (121), /.env (71), and multiple phpunit eval-stdin variants (12 each), alongside generic “/” (567) and commodity discovery paths (robots.txt, favicon.ico).
• Compared to yesterday, scanning volume is similar but redistributed: the “files” family increased substantially while “misc” decreased (misc -41.18% vs yesterday). This suggests scanner campaign mix changed even though total traffic did not.
• Management/admin probing is elevated vs 7-day baseline in several small families (actuator +140.2%, /containers +68.52%, /manager new), but counts are low enough that this presently resembles broad opportunistic coverage rather than a focused attack.

Top URI families

Top sources

• Most activity matches broad, automated probing for exposed files and common admin endpoints, led by /.git/config, /.env, and phpunit eval-stdin paths.
• One /24 source (195.178.110.0/24) generated a disproportionate share of requests, suggesting a single scanner or tightly controlled infrastructure segment.
• Several smaller families rose above baseline (Spring Actuator and Git exposure checks), while direct /.env probing dropped sharply versus yesterday and baseline.

Why it matters: These requests map to well-known high-impact misconfigurations (exposed Git metadata, leaked environment files, and exposed framework diagnostics/admin endpoints) that can enable credential leakage or remote code execution when present; even if the honeypot is not vulnerable, the pattern indicates what attackers are currently hunting at scale.

Changes since yesterday:

• Git exposure probing increased (+15.89% vs yesterday) and is well above the 7-day baseline (+118.64%).
• Spring Actuator probing increased (+47.83% vs yesterday) and is far above baseline (+155.91%).
• Direct /.env and related sensitive-file probing decreased sharply (-72.7% vs yesterday; -59.96% vs baseline).

Key observations:

• Top URI indicators in the last 24h include /.git/config (120), /.env (68), and multiple phpunit eval-stdin variants (13 each), consistent with automated opportunistic scanners checking for common high-value exposures and legacy RCE paths.
• Source concentration is notable: 195.178.110.0/24 contributed 507 requests (~19.2% of all 24h requests) while the remaining top sources are an order of magnitude lower (46–92), which may reflect a dominant scanner rather than broadly distributed noise.
• Framework/admin surface probing is present but smaller in absolute volume (e.g., /actuator* and /manager/text/list). While counts are low, their deltas vs baseline suggest increased interest in these endpoint classes today.

Top URI families

Top sources