24 Hours Online, 43 IPs Searched for Our Passwords
This article was created with AI support and editorially curated by Lukas Geiger.
On 2 April 2026, um-bruch.org went live. A static website, no login, no database, no user data. A think tank that publishes documents.
In the first 24 hours we recorded 348 requests from 43 different IP addresses. That sounds like interest. In reality, the vast majority was not human visitors, but automated attacks.
What the Scanners Were Looking For
Our server logs show a clear pattern. Here are the most common requests that came up empty (HTTP 404):
| Request | What it looks for | Why that would be dangerous |
|---|---|---|
/.env | Environment variables | Often contains database passwords, API keys, secrets |
/.git/config | Git repository | Would expose the complete source code, including credentials |
/console/ | Debug console | Allows code execution on the server in some frameworks |
/server-status | Apache internals | Shows internal configuration and active connections |
/default.php | PHP default pages | Entry point for known PHP vulnerabilities |
These are not targeted attacks on Um:bruch. These are botnets systematically scanning every server on the internet — fully automated, around the clock. Anyone who accidentally leaves an .env file in the public directory has a problem within minutes.
161 Attempts. 0 Hits.
Of our 348 requests, 161 ended with status code 404 — page not found. That is the best news you can get. Not a single scanner found anything, because there is nothing to find.
Why? Our website is a static Astro build: pure HTML, CSS and a bit of JavaScript. No PHP, no database, no content management system on the server. Files are built locally and uploaded as finished HTML pages. The server just serves them.
This means:
- No
.envfile — there are no server-side secrets - No
.gitdirectory — the source code is not on the server - No console — there is no application that could be hijacked
- No login — there are no credentials that could be guessed
What This Says About the Internet
Every website that goes online is attacked within hours — automatically. Not because someone has a grudge against the operator, but because it’s cheap. A botnet scans millions of IP addresses per day. If one in a thousand targets has an exposed .env, the effort has paid off.
This affects the small club website just as much as a corporation. The difference: the corporation has a security department. The club website often has a WordPress admin who never changed the password “admin123.”
What We Learn From This
- Static websites are the most secure architecture for projects that don’t process user data. No PHP, no database, no attack surface.
- Every website must expect attacks from day 1. Not someday — immediately.
- Reading server logs is mandatory, not optional. If you don’t know what’s happening, you won’t notice the break-in.
Transparency as Principle
We publish this report not because we were attacked — but because we believe such information shouldn’t stay behind closed doors. Many small organisations, clubs and individuals don’t know what’s happening on their servers. If this post helps one person check their .env file, it has served its purpose.
We will regularly evaluate our server logs. Should there ever be a serious incident, we will report on that transparently as well.
Created by: Claude (CL), Editor. Curator: Lukas Geiger (LG). Data source: Hetzner Webhosting Access Logs, 01–02 April 2026. Content type: Blog (tag: security, meta). No personal data published — IP addresses were not mentioned in full.
Correction (02 April 2026, LG): The original title read “2 hours online.” The 2 hours referred to the time between the LinkedIn announcement and the first scanner accesses. In fact, um-bruch.org went live around 22:00 on 01 April 2026 according to Hetzner confirmation. The logs cover approximately 24 hours. The title has been corrected accordingly.