The first 30 days of a new domain in 2025
I always noticed that any newly registered domain always gets immediate attention. So with my latest acquisition i set up a honeypot to see what bots are currently trying and exposing.
So in these 22 days i had 27k requests, lets deep dive and see what they seek.
Environment File Probing (.env, secrets)
Hundreds of variants of environment configuration paths used by Laravel, Symfony, Node, Python, Java, etc.
Common patterns:
/ .env,/ .env.bak,/ .env.old,/ .env.save,/ .env~,/ .env.prod,/ .env.dev,/ .env.test,/ .env.local
and deeper paths:
/admin/.env
/api/.env
/app/.env
/core/.env
/modules/.env
/plugins/.env
/storage/.env
/vendor/.env
/system/.env
/src/.env
/public/.envPHP Info & Diagnostic Probes
Attempted every well-known filename variation for phpinfo/info/debug pages.
Examples:
/phpinfo.php
/phpinfo
/php_info.php
/info.php
/check.php
/phptest.php
/debug.php
/serverinfo.php
/phpinfo.php.bak
/phpinfo.php.tmp
/phpinfo.php.save
/info.php.old
/test.php.backup
Git Metadata & Version Control
Attempts to access repos:
/.git/HEAD
/.git/index
/.git/ORIG_HEAD
/.git/refs/heads/main
/.git/packed-refs
/.git/logs/HEAD
WordPress Recon
Typical WordPress fingerprinting:
/wp-admin/
/wp-login.php
/wp-config.php
/wp-content/debug.log
/?rest_route=/wp/v2/users/
Logs & Error Files
Scanning for leaks in wrongly configured server logs:
/logs/error.log
/logs/access.log
/debug.log
/php_errors.log
/storage/logs/laravel.log
Cloud Credentials & Config Files
Sensitive configuration targets:
/aws.config.js
/aws-config.js
/.aws/credentials
/terraform.tfvars
/credentials.json
/local_settings.py
/application.properties
/application.yml
/config/secrets.yml
/gradle.properties
Swagger / API Discovery
Probing for (Swagger) API documentation:
/swagger.json
/swagger-ui.html
/swagger/index.html
/api/swagger.json
/api-docs/swagger.json
/v3/api-docs
/v2/api-docs
GraphQL
Common GraphQL discovery attempts:
/graphql
/api/graphql
/api/gql
/graphql/api
Spring Boot / Java
Java actuator & debug endpoints:
/actuator/env
/debug/default/view?panel=config
Docker & Container Registry
Seeking private images,services,regs etc:
/v2/_catalog (Docker Registry)
/docker-compose.yml
/docker-compose.override.yml
External CDN Script Injection Attempts
These URLs were malformed references to scripts originally hosted on our CDN, which is interesting and shows that these scans are more dynamic then i remember. (crawler misfires or attempts to piggyback script loading?)
Check the full output at the bottom.
Random Framework/System-Specific Files
/.vscode/sftp.json
/.npmrc
/.DS_Store
/_all_dbs
Dangerous Linux FS Probing
These are attempts to exploit Vite / build tools to read host files:
/@fs/etc/passwd?raw
/@fs/etc/passwd?import
Attacks by Category
| Category | Count | Description |
|---|---|---|
| Environment File Probing | ~250+ | Attempt to steal API keys & credentials |
| PHP Info/Diagnostics | ~200+ | Attempts to find phpinfo/info debug endpoints |
| Git/Version Control | ~20 | Attempts to extract source code |
| WordPress Recon | ~10 | Checking for WP installs |
| Logs & Debug Files | ~20 | Looking for leaked logs |
| Cloud & App Config Files | ~30 | Searching for cloud secrets |
| Swagger/API Exploration | ~15 | API introspection |
| GraphQL | ~4 | API probing |
| Spring / Actuator / Java | ~3 | Java server introspection |
| Docker / Compose / Registry | ~3 | Container enumeration |
| Local File Read Attacks | ~2 | Attempt to read /etc/passwd |
| Misc Framework Probes | ~20 | Various dev/config files |
| External CDN Injection Attempts | ~30 | Malformed external script loads |
All observed endpoints
endpoint
https://example.tld/.env
https://example.tld/aws.config.js
https://example.tld/aws-config.js
https://example.tld/config.js
https://example.tld/config.json
https://example.tld/.gitlab-ci.yml
https://example.tld/wp-config.php
https://example.tld/.git/logs/HEAD
https://example.tld/.env.bak
https://example.tld/core/.env
https://example.tld/admin/.env
https://example.tld/backend/.env
https://example.tld/.git/config
https://example.tld/?screenshotCacheBust=1763825190351
https://example.tld/?screenshotCacheBust=1763825187377
https://example.tld/?screenshotCacheBust=1763825185037
https://example.tld/?screenshotCacheBust=1763825174788
https://example.tld/www/info.php.save
https://example.tld/site/phpinfo.php.save
https://example.tld/site/info.php.save
https://example.tld/www/phpinfo.php.save
https://example.tld/site/info.php
https://example.tld/site/phpinfo.php
https://example.tld/www/info.php
https://example.tld/www/phpinfo.php
https://example.tld/web/info.php
https://example.tld/web/phpinfo.php
https://example.tld/cgi-bin/info.php.save
https://example.tld/web/phpinfo.php.save
https://example.tld/public/info.php.save
https://example.tld/web/info.php.save
https://example.tld/public/info.php
https://example.tld/public/phpinfo.php
https://example.tld/public/phpinfo.php.save
https://example.tld/cgi-bin/phpinfo.php.save
https://example.tld/scripts/phpinfo.php.save
https://example.tld/cgi-bin/info.php
https://example.tld/includes/info.php.save
https://example.tld/scripts/phpinfo.php
https://example.tld/cgi-bin/phpinfo.php
https://example.tld/scripts/info.php.save
https://example.tld/includes/phpinfo.php.save
https://example.tld/scripts/info.php
https://example.tld/includes/phpinfo.php
https://example.tld/test/info.php.save
https://example.tld/includes/info.php
https://example.tld/dev/info.php.save
https://example.tld/dev/phpinfo.php
https://example.tld/dev/phpinfo.php.save
https://example.tld/test/info.php
https://example.tld/tmp/info.php
https://example.tld/admin/phpinfo.php
https://example.tld/tmp/phpinfo.php.save
https://example.tld/tmp/info.php.save
https://example.tld/test/phpinfo.php
https://example.tld/admin/info.php
https://example.tld/dev/info.php
https://example.tld/admin/info.php.save
https://example.tld/admin/phpinfo.php.save
https://example.tld/test/phpinfo.php.save
https://example.tld/tmp/phpinfo.php
https://example.tld/php_info.php.tmp
https://example.tld/info.php.tmp
https://example.tld/test.php.tmp
https://example.tld/info.php~
https://example.tld/php_info.php.swp
https://example.tld/info.php.swp
https://example.tld/php_info.php.backup
https://example.tld/php_info.php~
https://example.tld/phpinfo.php.tmp
https://example.tld/phpinfo.php~
https://example.tld/test.php.swp
https://example.tld/test.php~
https://example.tld/test.php.backup
https://example.tld/phpinfo.php.swp
https://example.tld/phpinfo.php.backup
https://example.tld/test.php.ori
https://example.tld/info.php.backup
https://example.tld/php_info.php.ori
https://example.tld/info.php.ori
https://example.tld/php_info.php.save
https://example.tld/info.php.bak
https://example.tld/php_info.php.old
https://example.tld/test.php.save
https://example.tld/test.php.old
https://example.tld/php_info.php.bak
https://example.tld/phpinfo.php.old
https://example.tld/phpinfo.php.save
https://example.tld/phpinfo.php.ori
https://example.tld/info.php.old
https://example.tld/test.php.bak
https://example.tld/phpinfo.php.bak
https://example.tld/info.php.save
https://example.tld/check.php
https://example.tld/diagnostic.php
https://example.tld/phptest.php
https://example.tld/info2.php
https://example.tld/pi.php
https://example.tld/server.php
https://example.tld/php_version.php
https://example.tld/debug.php
https://example.tld/php.php
https://example.tld/i.php
https://example.tld/phpversion.php
https://example.tld/test.php
https://example.tld/phpinfo
https://example.tld/serverinfo.php
https://example.tld/info1.php
https://example.tld/php_info.php
https://example.tld/info.php
https://example.tld/_profiler/phpinfo
https://example.tld/storage/.env.bak
https://example.tld/vendor/.env.save
https://example.tld/storage/.env.old
https://example.tld/phpinfo.php
https://example.tld/storage/.env.save
https://example.tld/vendor/.env
https://example.tld/storage/.env
https://example.tld/themes/.env.save
https://example.tld/vendor/.env.old
https://example.tld/themes/.env.bak
https://example.tld/vendor/.env.bak
https://example.tld/themes/.env.old
https://example.tld/plugins/.env.old
https://example.tld/themes/.env
https://example.tld/plugins/.env.bak
https://example.tld/core/.env.old
https://example.tld/modules/.env.save
https://example.tld/plugins/.env
https://example.tld/core/.env.bak
https://example.tld/modules/.env
https://example.tld/modules/.env.bak
https://example.tld/plugins/.env.save
https://example.tld/modules/.env.old
https://example.tld/core/.env.save
https://example.tld/system/.env.bak
https://example.tld/system/.env.old
https://example.tld/lib/.env.old
https://example.tld/lib/.env.save
https://example.tld/lib/.env.bak
https://example.tld/system/.env.save
https://example.tld/application/.env.bak
https://example.tld/system/.env
https://example.tld/application/.env.save
https://example.tld/application/.env.old
https://example.tld/application/.env
https://example.tld/includes/.env.old
https://example.tld/assets/.env.save
https://example.tld/lib/.env
https://example.tld/includes/.env.save
https://example.tld/assets/.env
https://example.tld/assets/.env.bak
https://example.tld/assets/.env.old
https://example.tld/includes/.env
https://example.tld/includes/.env.bak
https://example.tld/public/.env.old
https://example.tld/public/.env.bak
https://example.tld/public/.env.save
https://example.tld/config/.env.old
https://example.tld/src/.env
https://example.tld/public/.env
https://example.tld/src/.env.old
https://example.tld/src/.env.bak
https://example.tld/config/.env.bak
https://example.tld/src/.env.save
https://example.tld/config/.env
https://example.tld/config/.env.save
https://example.tld/app/.env.save
https://example.tld/api/.env.old
https://example.tld/app/.env
https://example.tld/app/.env.old
https://example.tld/app/.env.bak
https://example.tld/api/.env.bak
https://example.tld/api/.env
https://example.tld/api/.env.save
https://example.tld/.env.dist
https://example.tld/admin/.env.save
https://example.tld/admin/.env.old
https://example.tld/admin/.env.bak
https://example.tld/.env.tmp
https://example.tld/.env.save
https://example.tld/.env.ori
https://example.tld/.env.swp
https://example.tld/.env.sample
https://example.tld/.env.old
https://example.tld/.env~
https://example.tld/.env.test
https://example.tld/.env.backup
https://example.tld/.env.production
https://example.tld/.env.development
https://example.tld/.env.staging
https://example.tld/.env.prod
https://example.tld/.env.dev
https://example.tld/.env.local
https://example.tld/?rest_route=/wp/v2/users/
https://example.tld/telescope/requests
https://example.tld/s/033323e24363e2033313e24393/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
https://example.tld/.DS_Store
https://example.tld/_all_dbs
https://example.tld/login.action
https://example.tld/server-status
https://example.tld/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application
https://example.tld/v2/_catalog
https://example.tld/debug/default/view?panel=config
https://example.tld/about
https://example.tld/.vscode/sftp.json
https://example.tld/server
https://example.tld/actuator/env
https://example.tld/@vite/env
https://example.tld/api/swagger.json
https://example.tld/api-docs/swagger.json
https://example.tld/v3/api-docs
https://example.tld/v2/api-docs
https://example.tld/swagger/v1/swagger.json
https://example.tld/swagger.json
https://example.tld/webjars/swagger-ui/index.html
https://example.tld/swagger/swagger-ui.html
https://example.tld/swagger/index.html
https://example.tld/swagger-ui.html
https://example.tld/api/gql
https://example.tld/graphql/api
https://example.tld/api/graphql
https://example.tld/api
https://example.tld/graphql
https://example.tld/wp-admin/
https://example.tld/wp-login.php
https://example.tld/sitemap.xml
https://example.tld/wp-content/debug.log
https://example.tld/storage/logs/laravel.log
https://example.tld/logs/debug.log
https://example.tld/logs/access.log
https://example.tld/logs/error.log
https://example.tld/php_errors.log
https://example.tld/debug.log
https://example.tld/access.log
https://example.tld/error.log
https://example.tld/.npmrc
https://example.tld/gradle.properties
https://example.tld/deploy.sh
https://example.tld/terraform.tfvars
https://example.tld/credentials.json
https://example.tld/local_settings.py
https://example.tld/config/secrets.yml
https://example.tld/appsettings.json
https://example.tld/application.yml
https://example.tld/application.properties
https://example.tld/README.md
https://example.tld/.aws/credentials
https://example.tld/docker-compose.override.yml
https://example.tld/docker-compose.yml
https://example.tld/config/database.yml
https://example.tld/settings.py
https://example.tld/wp-config.php.bak
https://example.tld/backup/phpinfo.php
https://example.tld/private/info.php
https://example.tld/staging/phpinfo.php
https://example.tld/server/phpinfo.php
https://example.tld/config/phpinfo.php
https://example.tld/infos.php
https://example.tld/pinfo.php
https://example.tld/dashboard/phpinfo.php
https://example.tld/tool/view/phpinfo.view.php
https://example.tld/packages/api/.env
https://example.tld/apps/web/.env
https://example.tld/.env.example
https://example.tld/@fs/etc/passwd?import&?inline=1.wasm?init?import&?inline=1.wasm?init
https://example.tld/@fs/etc/passwd?raw???raw??
https://example.tld/invoice-eu-nl
https://example.tld/?screenshotCacheBust=1762874009643
https://example.tld/.git/refs/heads/main
https://example.tld/.git/packed-refs
https://example.tld/.git/info/exclude
https://example.tld/.git/index
https://example.tld/.git/objects/info/packs
https://example.tld/.git/ORIG_HEAD
https://example.tld/.git/refs/remotes/origin/HEAD
https://example.tld/.git/refs/heads/master
https://example.tld/.git/HEAD
https://example.tld/%27https:/cdn.example-cdn.tld/i/js/jquery/jquery.masonry.minef70.js?ver=3.1.2b'
https://example.tld/wordpress/
https://example.tld/?screenshotCacheBust=1762281720199
https://example.tld/?screenshotCacheBust=1762281718207
https://example.tld/err-50084
Stay safe,
Proost,