Project Blog

August 31st, 2025

The site goes online! I forward the ports on my home router to my Ubuntu server. Within an hour of going live, the apache logs revealed something fascinating:

• 4.230.5.99 - - [31/Aug/2025:19:09:10 +0000] "GET /wp-content/plugins/hellopress/wp_filemanager.php HTTP/1.1" 404 452 "-" "-"
• 4.230.5.99 - - [31/Aug/2025:19:09:10 +0000] "GET /lock360.php HTTP/1.1" 404 452
• 4.230.5.99 - - [31/Aug/2025:19:09:10 +0000] "GET /wp-admin/file.php HTTP/1.1" 404 452
• 4.230.5.99 - - [31/Aug/2025:19:09:10 +0000] "GET /404.php HTTP/1.1" 404 452
• 4.230.5.99 - - [31/Aug/2025:19:09:11 +0000] "GET /astab.php HTTP/1.1" 404 452
• 4.230.5.99 - - [31/Aug/2025:19:09:11 +0000] "GET /file6.php HTTP/1.1" 404 452
• 4.230.5.99 - - [31/Aug/2025:19:09:11 +0000] "GET /wp-content/wp-conflg.php HTTP/1.1" 404 452
• 4.230.5.99 - - [31/Aug/2025:19:09:11 +0000] "GET /faq.php HTTP/1.1" 404 452 "-" "-"
• 4.230.5.99 - - [31/Aug/2025:19:09:11 +0000] "GET /dejavu.php HTTP/1.1" 404 452
• 4.230.5.99 - - [31/Aug/2025:19:09:12 +0000] "GET /NewFile.php HTTP/1.1" 404 452
• 4.230.5.99 - - [31/Aug/2025:19:09:12 +0000] "GET /file2.php HTTP/1.1" 404 452
• 4.230.5.99 - - [31/Aug/2025:19:09:12 +0000] "GET /bless.php HTTP/1.1" 404 452
• 4.230.5.99 - - [31/Aug/2025:19:09:12 +0000] "GET /.trash7309/index.php HTTP/1.1" 404 452
• 4.230.5.99 - - [31/Aug/2025:19:09:12 +0000] "GET /file4.php HTTP/1.1" 404 452 "-" "-"
• 4.230.5.99 - - [31/Aug/2025:19:09:13 +0000] "GET /ss.php HTTP/1.1" 404 452
• 4.230.5.99 - - [31/Aug/2025:19:09:13 +0000] "GET /ahax.php HTTP/1.1" 404 452
• 4.230.5.99 - - [31/Aug/2025:19:09:13 +0000] "GET /wp.php HTTP/1.1" 404 452
• 4.230.5.99 - - [31/Aug/2025:19:09:13 +0000] "GET /file8.php HTTP/1.1" 404 452

Shortly after going live an IP address 4.230.5.99 was already attempting to access various admin php files. At a first glance, it looks like they were trying to gain access to php admin files to be able to gain control over the server and perform remote code execution.

I looked up the address using iplocation.net and it pointed to Soeul, Korea! Was my site already the target of automatic scripts written by North Korean threat actors?

The web is a scary place. Good thing this webiste doesn't have PHP yet. This finding only encouraged me to double down on security and visit this event later.

May - August, 2025

Network Design and Naming Conventions

I wanted to do something simple, build a website, but one that follows enterprise level security standards.

For the project I decided to purchase a Ubiquity gateway to run the VPN server and a cisco managed switch for hands on VLAN segmentation. These allowed to me split my home network into several parts. I settled on the diagram below for my final layout. This design keeps my lab environment seperate from my main home network and further isolates devices within the network as needed.

As you can see, the hostnames are all in Japenese. All good projects need good naming conventions. I decided to go with a japanese nature theme. Here's a nice AI generated image of the homelab.