Server Security Dashboard

IP	Hits
195.178.110.132	54
114.220.75.156	15
195.178.110.190	14
213.209.159.181	14
3.96.59.161	10
35.183.137.17	10
3.39.195.183	10
54.151.127.120	10
3.107.2.160	10
3.96.144.10	10

URI	Hits
`/.env`	121
`/.git/config`	82
`/honeypot-trap.php`	41
`/1.php`	32
`/config.json`	16
`/.git/HEAD`	16
`/config.php`	16
`/api/.env`	15
`/api/swagger.json`	13
`/api/v2/config`	9

Recent Honeypot Events

Date/Time	IP	URI	Reason	Event	User Agent	Extra
2026-01-16 07:15:00	77.83.39.218	`/.env`	CONFIG_PROBE	HARDKILL_HIT	Konqueror/3.0-rc4; (Konqueror/3.0-rc4; i686 Linux;;datecode)	METHOD=GET \| REF=-
2026-01-16 06:36:16	4.241.184.25	`/wso.php`	BACKDOOR_PROBE	HARDKILL_HIT	-	METHOD=GET \| REF=-
2026-01-16 05:18:19	195.178.110.132	`/.git/config`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0	METHOD=GET \| REF=-
2026-01-16 05:18:15	195.178.110.132	`/.git/HEAD`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0	METHOD=GET \| REF=-
2026-01-16 05:18:04	195.178.110.132	`/config.php`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36	METHOD=GET \| REF=-
2026-01-16 05:17:58	195.178.110.132	`/.git/config`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36	METHOD=GET \| REF=-
2026-01-16 05:17:49	195.178.110.132	`/.env`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36	METHOD=GET \| REF=-
2026-01-16 05:17:44	195.178.110.132	`/.env`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36	METHOD=GET \| REF=-
2026-01-16 05:00:18	216.81.248.30	`/.git/config`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36	METHOD=GET \| REF=-
2026-01-16 05:00:15	216.81.248.30	`/.git/config`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.0 Safari/605.1.15	METHOD=GET \| REF=-
2026-01-16 04:34:29	216.81.248.30	`/.git/config`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.15	METHOD=GET \| REF=-
2026-01-16 03:21:34	91.232.238.112	`/admin/config.php`	CONFIG_PROBE	HARDKILL_HIT	xfa1	METHOD=GET \| REF=-
2026-01-16 03:01:36	195.178.110.191	`/.git/config`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (X11; Linux x86_64; rv:1.9.5.20) Gecko/ Firefox/3.6.14	METHOD=GET \| REF=-
2026-01-16 02:58:32	91.239.157.219	`/vendor/`	GENERIC_HONEYPOT_HIT	HARDKILL_HIT	-	METHOD=GET \| REF=-
2026-01-16 02:58:18	91.239.157.219	`/vendor/phpunit/phpunit/src/Util/PHP/`	GENERIC_HONEYPOT_HIT	HARDKILL_HIT	-	METHOD=GET \| REF=-
2026-01-16 02:58:07	91.239.157.219	`/honeypot-trap.php`	GENERIC_HONEYPOT_HIT	HARDKILL_HIT	-	METHOD=GET \| REF=-
2026-01-16 02:57:39	195.178.110.191	`/.git/config`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2 rv:2.0; mai-IN) AppleWebKit/533.27.1 (KHTML, like Gecko) Version/5.0 Safari/533.27.1	METHOD=GET \| REF=-
2026-01-16 01:59:46	204.76.203.25	`/.env`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.3	METHOD=GET \| REF=-
2026-01-16 01:59:14	204.76.203.25	`/.env`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.3	METHOD=GET \| REF=-
2026-01-16 01:59:09	204.76.203.25	`/.env`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.3	METHOD=GET \| REF=-
2026-01-15 23:06:00	142.111.146.31	`/.env`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36	METHOD=GET \| REF=http://handeltmarketinglimited.com/.env
2026-01-15 22:57:17	195.178.110.191	`/.git/config`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15	METHOD=GET \| REF=-
2026-01-15 22:40:26	34.133.255.234	`/honeypot-trap.php`	GENERIC_HONEYPOT_HIT	SOFT_HIT	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3	METHOD=GET \| REF=-
2026-01-15 22:34:31	4.217.221.142	`/1.php`	BACKDOOR_PROBE	HARDKILL_HIT	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36	METHOD=GET \| REF=-
2026-01-15 22:05:34	4.217.217.16	`/wso.php`	BACKDOOR_PROBE	HARDKILL_HIT	-	METHOD=GET \| REF=-
2026-01-15 19:53:00	102.129.234.195	`/.env`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0	METHOD=GET \| REF=-
2026-01-15 19:35:53	64.62.197.152	`/.git/config`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36	METHOD=GET \| REF=-
2026-01-15 19:24:15	129.159.56.14	`/.env`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0	METHOD=GET \| REF=-
2026-01-15 19:16:27	129.159.56.14	`/.env`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0	METHOD=GET \| REF=-
2026-01-15 19:14:30	129.159.56.14	`/.env`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0	METHOD=GET \| REF=-
2026-01-15 19:08:02	161.97.129.154	`/.git/HEAD`	CONFIG_PROBE	HARDKILL_HIT	Go-http-client/2.0	METHOD=GET \| REF=http://handeltmarketinglimited.com/.git/HEAD
2026-01-15 19:08:01	161.97.129.154	`/.env`	CONFIG_PROBE	HARDKILL_HIT	Go-http-client/2.0	METHOD=GET \| REF=http://handeltmarketinglimited.com/.env
2026-01-15 19:02:24	114.220.75.156	`/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php`	PHPUNIT_RCE_PROBE	HARDKILL_HIT	libredtail-http	METHOD=GET \| REF=-
2026-01-15 19:01:54	114.220.75.156	`/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php`	PHPUNIT_RCE_PROBE	HARDKILL_HIT	libredtail-http	METHOD=GET \| REF=-
2026-01-15 19:01:24	114.220.75.156	`/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php`	PHPUNIT_RCE_PROBE	HARDKILL_HIT	libredtail-http	METHOD=GET \| REF=-
2026-01-15 19:00:53	114.220.75.156	`/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php`	PHPUNIT_RCE_PROBE	HARDKILL_HIT	libredtail-http	METHOD=GET \| REF=-
2026-01-15 19:00:23	114.220.75.156	`/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php`	PHPUNIT_RCE_PROBE	HARDKILL_HIT	libredtail-http	METHOD=GET \| REF=-
2026-01-15 18:59:52	114.220.75.156	`/lib/phpunit/src/Util/PHP/eval-stdin.php`	PHPUNIT_RCE_PROBE	HARDKILL_HIT	libredtail-http	METHOD=GET \| REF=-
2026-01-15 18:59:20	114.220.75.156	`/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php`	PHPUNIT_RCE_PROBE	HARDKILL_HIT	libredtail-http	METHOD=GET \| REF=-
2026-01-15 18:58:49	114.220.75.156	`/phpunit/src/Util/PHP/eval-stdin.php`	PHPUNIT_RCE_PROBE	HARDKILL_HIT	libredtail-http	METHOD=GET \| REF=-
2026-01-15 18:58:18	114.220.75.156	`/phpunit/phpunit/src/Util/PHP/eval-stdin.php`	PHPUNIT_RCE_PROBE	HARDKILL_HIT	libredtail-http	METHOD=GET \| REF=-
2026-01-15 18:57:47	114.220.75.156	`/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php`	PHPUNIT_RCE_PROBE	HARDKILL_HIT	libredtail-http	METHOD=GET \| REF=-
2026-01-15 18:57:17	114.220.75.156	`/vendor/phpunit/phpunit/LICENSE/eval-stdin.php`	GENERIC_HONEYPOT_HIT	SOFT_HIT	libredtail-http	METHOD=GET \| REF=-
2026-01-15 18:56:47	114.220.75.156	`/vendor/phpunit/Util/PHP/eval-stdin.php`	GENERIC_HONEYPOT_HIT	SOFT_HIT	libredtail-http	METHOD=GET \| REF=-
2026-01-15 18:56:18	114.220.75.156	`/vendor/phpunit/src/Util/PHP/eval-stdin.php`	PHPUNIT_RCE_PROBE	HARDKILL_HIT	libredtail-http	METHOD=GET \| REF=-
2026-01-15 18:56:01	114.220.75.156	`/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php`	GENERIC_HONEYPOT_HIT	SOFT_HIT	libredtail-http	METHOD=GET \| REF=-
2026-01-15 18:55:56	114.220.75.156	`/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php`	PHPUNIT_RCE_PROBE	HARDKILL_HIT	libredtail-http	METHOD=GET \| REF=-
2026-01-15 18:36:30	195.178.110.190	`/.env`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36	METHOD=GET \| REF=-
2026-01-15 18:36:07	195.178.110.190	`/.env`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Linux; Android 9; STK-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36	METHOD=GET \| REF=-
2026-01-15 18:35:56	195.178.110.190	`/.env`	CONFIG_PROBE	HARDKILL_HIT	Mozilla/5.0 (Linux; U; Android 2.2; en-us; SCH-I800 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1	METHOD=GET \| REF=-

IP Address	Hits	Endpoints	First Seen	Last Seen	UA Samples
`4.241.184.25`	6	/wp-admin/acme.php, /wp-admin/fw.php, /wp-admin/, /wp-admin/zwso.php, /wp-admin/maint/ …	2026-01-16 14:35:37	2026-01-16 14:38:17	-
`91.239.157.219`	76	/admin/uploads/, /admin/, /admin/editor/, /wp-admin/css/, /wp-admin/css/colors/ …	2026-01-16 10:58:02	2026-01-16 13:08:12	-
`89.117.61.39`	21	/wp-admin/css/, /wp-admin/includes/, /wp-admin/maint/, /wp-admin/network/, /wp-admin/user/ …	2026-01-16 11:59:04	2026-01-16 11:59:25	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
`169.150.203.200`	61	/wp-json/wp/v2/users/, /xmlrpc.php	2026-01-16 06:07:20	2026-01-16 06:08:02	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
`4.217.217.16`	6	/wp-admin/acme.php, /wp-admin/fw.php, /wp-admin/, /wp-admin/zwso.php, /wp-admin/maint/ …	2026-01-16 06:04:54	2026-01-16 06:07:29	-
`87.121.84.125`	1	/admin/assets/plugins/jquery-file-upload/server/php/index.php?file=tf2rghf.jpg	2026-01-16 03:14:07	2026-01-16 03:14:07	ALittle Client

Copy 404 Data for ChatGPT Analysis

Select all (Ctrl+A / Cmd+A) inside this box, copy, and paste into ChatGPT.

You are a Linux server and WordPress security assistant.

I will provide you with a list of recent HTTP 404 (Page Not Found) errors taken from my Apache access log.

Your tasks:

Group all entries by IP address.

Identify which IPs appear to be malicious bots or scanners. Treat the following as strong indicators of malicious behavior:

Repeated 404 errors

Enumeration of wp-admin directories, plugins, themes, uploads, backups, or fake/non-existent paths

Attempts to access sensitive endpoints (wp-login.php, xmlrpc.php, installer.php, phpmyadmin, .env, .git, etc.)

Suspicious or blank user agents, mismatched browser signatures, or automation indicators

Entries that have multiple user agents, even if one of appears to be a excluded searchbot

Fast or burst-style scanning in short time intervals

Assign a recommendation for each IP:

Permanent CSF ban for clearly malicious or exploit-focused behavior

Temporary CSF ban (24–48 hours recommended) for low-volume or borderline suspicious behavior

No action for legitimate traffic

EXCLUSIONS — Do NOT recommend bans for these well-known legitimate crawlers unless they perform exploit behavior:

OpenAI GPTBot (“GPTBot”)

OpenAI OAI-SearchBot (“OAI-SearchBot”)

CensysInspect / Censys Security Scanner

Palo Alto Networks Cortex Xpanse scanners

Standard robots.txt/sitemap fetchers

Normal favicon.ico hits with valid browser UAs
Only classify these as malicious if they access exploit paths such as /.env, /wp-login.php, /xmlrpc.php, /phpunit/, or encoded traversal requests.

For each IP recommended for blocking, generate:

A CSF permanent deny line for /etc/csf/csf.deny

For temporary bans, provide:
• The IP
• A recommended duration (24h or 48h)
• A short reason
• The exact CSF command the user must run manually
(csf -td IP duration "reason")

Use these formats:

PERMANENT BAN FORMAT (csf.deny):
IP_ADDRESS # REASON (permanent) YYYY-MM-DD

TEMPORARY BAN OUTPUT (NOT paste-ready):
IP: 1.2.3.4
Duration: 24h
Reason: Enumeration of /wp-admin directories
Command: csf -td 1.2.3.4 86400 "wp-admin enumeration"

Return the following:

1. Short Summary

Briefly explain the overall pattern (bot scans, probing, noise, etc.)

2. Table of IPs

Columns:

IP Address

Total 404 Count

Example URLs Hit

Recommendation (no action / temp ban / permanent ban)

3. PERMANENT BAN BLOCK (paste-ready)

Use only permanent ban lines in csf.deny format.
Output “None” if empty.

4. TEMPORARY BAN RECOMMENDATIONS (manual entry)

List each temp-ban IP using the format shown above.
Do NOT output csf.tempban file lines.
Provide only the recommended command to run manually.

Server Security Dashboard

Top Honeypot Offenders (by IP)

Top Honeypot URIs

Recent Honeypot Events

Honeypot Reason Legend

Sensitive Endpoint Traffic (Recent Log Sample)

Top 404 Offenders (by IP)

Top 404 URLs

Recent 404 "Page Not Found" Errors

Copy 404 Data for ChatGPT Analysis