Lazy Code for Lazy Bots for Lazy Hackers

When I watch server logs I see a lot of attempts at hacking. They aren’t really very sophisticated but probably about 50% of my traffic is straight up fishing for lazy code. Things like GET /.env where they are looking for credentials stored in an environment file or GET /xmlrpc.php which was an old Wordpress that connected Wordpress to other applications (and yet is still out there).

These attempts usually just get the bot that’s crawling the internet a 404 Not Found, but, it’s a bot… the bot doesn’t care and it just continues to slowly crawl the internet until it finds an old Wordpress site with some juicy credentials, or a .env file that lets them take over your AWS servers.

A slow, lazy search of the Internet for lazy developers who haven’t closed the back doors.

Obviously, rule number one, don’t store your credentials anywhere that can be exposed by your web server. And, security through obscurity, like using folders and different naming conventions, doesn’t really help… the bots have all the time in the world.

Here’s a little sample of a bot rummaging around one of my websites:

193.41.206.24 - - [13/Jan/2025:16:35:23 +0000] "GET /.aws/secrets/ HTTP/1.1" 301 620 "-" "-"
193.41.206.24 - - [13/Jan/2025:16:35:25 +0000] "GET /.aws/secretsmanager/ HTTP/1.1" 301 634 "-" "-"
193.41.206.24 - - [13/Jan/2025:16:35:33 +0000] "GET /secrets/aws_credentials.json HTTP/1.1" 301 650 "-" "-"
193.41.206.24 - - [13/Jan/2025:16:35:33 +0000] "GET /secrets/aws_config.json HTTP/1.1" 301 640 "-" "-"
193.41.206.24 - - [13/Jan/2025:16:35:34 +0000] "GET /wp-content/uploads/secrets.json HTTP/1.1" 301 656 "-" "-"
193.41.206.24 - - [13/Jan/2025:22:24:21 +0000] "GET /.aws/secrets/ HTTP/1.1" 301 599 "-" "-"
193.41.206.24 - - [13/Jan/2025:22:24:22 +0000] "GET /.aws/secretsmanager/ HTTP/1.1" 301 613 "-" "-"
193.41.206.24 - - [13/Jan/2025:22:24:34 +0000] "GET /config/secrets/prod/aws_config.json HTTP/1.1" 301 643 "-" "-"
193.41.206.24 - - [13/Jan/2025:22:24:34 +0000] "GET /config/secrets/prod/aws_credentials.json HTTP/1.1" 301 653 "-" "-"
193.41.206.24 - - [13/Jan/2025:22:24:34 +0000] "GET /config/secrets/dev/aws_credentials.json HTTP/1.1" 301 651 "-" "-"
193.41.206.24 - - [13/Jan/2025:22:24:34 +0000] "GET /config/secrets/dev/aws_config.json HTTP/1.1" 301 641 "-" "-"

I don’t have any credentials you can actually read anywhere on my servers, but it doesn’t stop them from continuing to drill in and keep looking even though it keeps getting a 301 Redirect. It just keeps looking because eventually, if not on my server, it will find something, somewhere that it can report back to its owner and someone can exploit.

I know you’re thinking, “we would never leave security keys just laying around!” But you do. If you use Wordpress (which around 60% of businesses in the world do) and if you host that WordPress yourself (which about 50% of WordPress installs are, meaning 30% of business websites) you have a website with a config file that has your database keys.

That config file should be locked away so no one can see it but your WordPress admin and code. Should be. But… we get in a hurry… we assume don’t doublecheck things… we use a guy who we trusted but he wasn’t actually as good as we thought… we get comfortable because we haven’t been hacked yet. Yet.

I saw a guesstimate statistic that 13,000 WordPress sites are hacked EVERY DAY. It’s not because there is some brilliant mastermind sitting in a darkened room with a dozen monitors wrapped around a desk supporting stacks of interconnected computers. It’s because our websites are a wee bit too complicated to really understand and that we leave clues to how to hack strewn all over the file system.

The hackers can afford to use lazy bots to do their lazy hacking because… we have lazy websites.

This is why I keep promoting my serverless website architecture -- you don't need all that database tech sitting right there with your content. You don't need a full stack that wraps your admin tools in the same security blanket as your public web content. You need to separate your sensitive data and functions from your presentation layer so you don't give the lazy hackers the keys to the city.

I'm working on a platform to make it easy to migrate… it feels like a heavy lift to move from something like Wordpress to a serverless platform, but honestly, you get a lot more lazy days when you're not worried about being hacked every day.