Lately, attackers have gotten more creative and aggressive in trying to find various credential files on exposed web servers. Our “First Seen” page each day shows many new versions of scans for secrets files like “.env”.
Yesterday, I noted a couple of requests that stuck out a bit:
/admin/smtp_keys.json
/admin/smtp_tokens.json
The same attacker scanned for variations like “/api/smtp_keys.json” and “/backend/smtp_keys.json”
| Date | URL |
|---|---|
| 2025-03-01 | /admin/smtp_tokens.json |
| 2025-03-01 | /api/smtp_tokens.json |
| 2025-03-01 | /backend/smtp_tokens.json |
| 2025-03-01 | /deploy/smtp_tokens.json |
| 2025-03-01 | /staging/smtp_tokens.json |
| 2025-03-01 | /testing/smtp_tokens.json |
| 2025-03-01 | /user/smtp_tokens.json |
| 2025-03-01 | /web/smtp_tokens.json |
| 2025-03-02 | /admin/smtp_tokens.json |
| 2025-03-02 | /api/smtp_tokens.json |
| 2025-03-02 | /backend/smtp_tokens.json |
| 2025-03-02 | /deploy/smtp_tokens.json |
| 2025-03-02 | /staging/smtp_tokens.json |
| 2025-03-02 | /testing/smtp_tokens.json |
| 2025-03-02 | /user/smtp_tokens.json |
| 2025-03-02 | /web/smtp_tokens.json |
The requests originate from one IP address, 193.41.206.202. According to Whois, the IP is associated with a Romanian Distillery (Alexandrion Saber 1789 Distilleries). Likely a compromised system in their network used for scanning. The scans started in February and they have been hitting possible secrets files since then ever so often slightly changing the set of files they are looking for.
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
