6. My first push to prod, going live!

31.8.2025

The site goes online! I forwarded the ports on my home router to my Ubuntu server. Within an hour of going live, the Apache logs revealed something fascinating: 

4.230.5.99 - - [31/Aug/2025:19:09:10 +0000] "GET /wp-content/plugins/hellopress/wp_filemanager.php HTTP/1.1" 404 452 "-" "-"
4.230.5.99 - - [31/Aug/2025:19:09:10 +0000] "GET /lock360.php HTTP/1.1" 404 452
4.230.5.99 - - [31/Aug/2025:19:09:10 +0000] "GET /wp-admin/file.php HTTP/1.1" 404 452
4.230.5.99 - - [31/Aug/2025:19:09:10 +0000] "GET /404.php HTTP/1.1" 404 452
4.230.5.99 - - [31/Aug/2025:19:09:11 +0000] "GET /astab.php HTTP/1.1" 404 452
4.230.5.99 - - [31/Aug/2025:19:09:11 +0000] "GET /file6.php HTTP/1.1" 404 452
4.230.5.99 - - [31/Aug/2025:19:09:11 +0000] "GET /wp-content/wp-conflg.php HTTP/1.1" 404 452
4.230.5.99 - - [31/Aug/2025:19:09:11 +0000] "GET /faq.php HTTP/1.1" 404 452 "-" "-"
4.230.5.99 - - [31/Aug/2025:19:09:11 +0000] "GET /dejavu.php HTTP/1.1" 404 452
4.230.5.99 - - [31/Aug/2025:19:09:12 +0000] "GET /NewFile.php HTTP/1.1" 404 452
4.230.5.99 - - [31/Aug/2025:19:09:12 +0000] "GET /file2.php HTTP/1.1" 404 452
4.230.5.99 - - [31/Aug/2025:19:09:12 +0000] "GET /bless.php HTTP/1.1" 404 452
4.230.5.99 - - [31/Aug/2025:19:09:12 +0000] "GET /.trash7309/index.php HTTP/1.1" 404 452
4.230.5.99 - - [31/Aug/2025:19:09:12 +0000] "GET /file4.php HTTP/1.1" 404 452 "-" "-"
4.230.5.99 - - [31/Aug/2025:19:09:13 +0000] "GET /ss.php HTTP/1.1" 404 452
4.230.5.99 - - [31/Aug/2025:19:09:13 +0000] "GET /ahax.php HTTP/1.1" 404 452
4.230.5.99 - - [31/Aug/2025:19:09:13 +0000] "GET /wp.php HTTP/1.1" 404 452
4.230.5.99 - - [31/Aug/2025:19:09:13 +0000] "GET /file8.php HTTP/1.1" 404 452

Shortly after going live an IP address 4.230.5.99 was already attempting to access various admin PHP files. At a first glance, it looks like they were trying to gain access to PHP admin files to be able to gain control over the server and perform remote code execution.

I looked up the address using iplocation.net and it pointed to Seoul, Korea! Was my site already the target of automatic scripts written by North Korean threat actors?

The web is a scary place. Good thing this website doesn't have PHP yet. This finding only encouraged me to double down on security and revisit this event later.

← Blog
© 2025 A project by Luke Jacobson