if you put a webserver up on the internet. anywhere, hosting anything, you will see "the background radiation of the internet", and it looks like this:
Conversation
Notices
-
Embed this notice
Viss (viss@mastodon.social)'s status on Thursday, 17-Jul-2025 06:20:00 JST 
Viss
- Haelwenn /элвэн/ :triskell: and narcolepsy and alcoholism :flag: like this.
-
Embed this notice
:blobcathug: (jain@blob.cat)'s status on Thursday, 17-Jul-2025 06:30:48 JST 
:blobcathug:
@sysop408 @paul_ipv6 @Viss :blobcatthinkOwO: maybe i should start serving gzip bomb responses as those files :blobcathyper2: -
Embed this notice
Paul_IPv6 (paul_ipv6@infosec.exchange)'s status on Thursday, 17-Jul-2025 06:30:49 JST 
Paul_IPv6
indeed. went from 1500+ attempts from a unique IP to maybe 15 in a week?
-
Embed this notice
Sheldon (sysop408@sfba.social)'s status on Thursday, 17-Jul-2025 06:30:49 JST 
Sheldon
@paul_ipv6 @Viss yes, thank goodness for fail2ban and CSF firewall.
-
Embed this notice
Sheldon (sysop408@sfba.social)'s status on Thursday, 17-Jul-2025 06:30:50 JST
Sheldon
@paul_ipv6 that status message when you login to your root account letting you know there have been 2817 failed login attempts since the last time you signed in is absolutely lit!
-
Embed this notice
Viss (viss@mastodon.social)'s status on Thursday, 17-Jul-2025 06:30:50 JST
Viss
@sysop408 @paul_ipv6 fail2ban!
-
Embed this notice
Paul_IPv6 (paul_ipv6@infosec.exchange)'s status on Thursday, 17-Jul-2025 06:30:51 JST
Paul_IPv6
yeah. if you ever want to be convinced that the internet is doomed, just put up your own email or web server and actually read the logs... ;)
-
Embed this notice
Viss (viss@mastodon.social)'s status on Thursday, 17-Jul-2025 06:46:52 JST
Viss
and if youre lucky, sometimetimes you catch one that may be actually interesting, possibly being used by an active malicious actor / campaign
"GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1"
never seen that one before, but I bet its working for SOMEONE out there
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Viss (viss@mastodon.social)'s status on Thursday, 17-Jul-2025 06:46:53 JST
Viss
and what you can take away from this log is that the reason they are blasting the entire internet, every webserver with these requests - most of which are 'im gonna hit myself in the face with a brick now' level of bad from a config/dev/admin perspective - is squarely because it has worked for them enough times that they feel spraying the internet will nab them more.
look.
just look at the shit they're collecting and how easily theyre doing it.this is because docker
this is because k8s -
Embed this notice
Viss (viss@mastodon.social)'s status on Thursday, 17-Jul-2025 06:46:53 JST
Viss
this is because everywhere has gone "DX" - or "optimizing for the developer experience above all else, at the cost of everyone else. "
make things as easy as possible for the devs/devops, we dont care how bad the security becomes, how many layers of abstraction get installed, how many dozen new js frameworks appear this afternoon, how public the data is, how bad the architecture is - burn the building down
just make sure the devs are comfy
-
Embed this notice
Dr. Matt Lee (1800www.com) (mattl@social.coop)'s status on Thursday, 17-Jul-2025 07:16:38 JST 
Dr. Matt Lee (1800www.com)
@jackwilliambell @Viss Nobody should redirect their 404s from weird user agents or bots looking for the WordPress login page to a 10gb file such as https://sin-speed.hetzner.com/10GB.bin
-
Embed this notice
Jack William Bell (jackwilliambell@rustedneuron.com)'s status on Thursday, 17-Jul-2025 07:16:42 JST 
Jack William Bell
Is it possible to respond to every URN not referring to an actual reachable resource on the site with a zip bomb?
I mean, it should be possible, but IDK.
-
Embed this notice
Viss (viss@mastodon.social)'s status on Thursday, 17-Jul-2025 07:17:29 JST
Viss
@FritzAdalis no good comes from that ip
-
Embed this notice
Dr. Matt Lee (1800www.com) (mattl@social.coop)'s status on Thursday, 17-Jul-2025 07:17:29 JST
Dr. Matt Lee (1800www.com)
@Viss @FritzAdalis I know a guy with that IP address. Just downloads a bunch of shit all day.
-
Embed this notice
Fritz Adalis (fritzadalis@infosec.exchange)'s status on Thursday, 17-Jul-2025 07:17:30 JST 
Fritz Adalis
@Viss
You should probably block that 127.0.0.1 address. -
Embed this notice
Dr. Matt Lee (1800www.com) (mattl@social.coop)'s status on Thursday, 17-Jul-2025 12:14:42 JST
Dr. Matt Lee (1800www.com)
@vwbusguy @Viss @FritzAdalis I think he must live near me. I keep finding him logging into my computers too, yet they're not public facing.
-
Embed this notice
Scott Williams 🐧 (vwbusguy@mastodon.online)'s status on Thursday, 17-Jul-2025 12:14:43 JST 
Scott Williams 🐧
@mattl @Viss @FritzAdalis That's the address of the guy that keeps logging into my machines!
-
Embed this notice
Dr. Matt Lee (1800www.com) (mattl@social.coop)'s status on Friday, 18-Jul-2025 00:46:43 JST
Dr. Matt Lee (1800www.com)
@Silverstar @Viss @jackwilliambell @cR0w @neurovagrant I suspect some will and some won’t. Some might just crash.
-
Embed this notice
Viss (viss@mastodon.social)'s status on Friday, 18-Jul-2025 00:46:49 JST
Viss
@jackwilliambell @mattl oh, @cR0w and @neurovagrant have some fun here, with a zip that uncompresses to .. some tens of gigs? or hundreds of gigs?
-
Embed this notice
Silverstar (silverstar@cyberplace.social)'s status on Friday, 18-Jul-2025 00:46:49 JST 
Silverstar
@Viss @jackwilliambell @mattl @cR0w @neurovagrant would the bots actually download large files or stop because they expect small files?
-
Embed this notice
Jack William Bell (jackwilliambell@rustedneuron.com)'s status on Friday, 18-Jul-2025 00:46:50 JST
Jack William Bell
Yeah. I guess that would be bad.
All GNU social JP content and data are available under the