I have been writing about the “.well-known” directory a few times before. Recently, about attackers hiding webshells [1], and before that, about the purpose of the directory and why you should set up a “/.well-known/security.txt” file. But I noticed something else when I looked at today's logs on this web server. Sometimes you do not need a honeypot. Some attackers are noisy enough to be easily visible on a busy web server. This time, the attacker hit various URLs inside the “.well-known” directory. Here is a sample from the > 100 URLs hit:
This article has been indexed from SANS Internet Storm Center, InfoCON: green
Read the original article: