The latest articles on DEV Community by sashi sharma (@sashi_sharma_311f98faf173). https://dev.to/sashi_sharma_311f98faf173 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1915907%2F0a816465-1a67-4031-a1c6-c1d2f203727d.png https://dev.to/sashi_sharma_311f98faf173 en sashi sharma Thu, 19 Mar 2026 14:46:05 +0000 https://dev.to/sashi_sharma_311f98faf173/thirty-minutes-after-going-public-my-server-logs-looked-like-a-crime-scene-3e6i https://dev.to/sashi_sharma_311f98faf173/thirty-minutes-after-going-public-my-server-logs-looked-like-a-crime-scene-3e6i <p>Thirty minutes after going public, my server logs looked like a crime scene. I deployed to Railway and panicked. WordPress bots, phishing kit scanners, ID enumeration — and then the real problem hit.</p> <p><strong>It was DNS all along.</strong></p> <p>I Thought My Server Was Hacked. It Wasn’t.<br> I recently deployed my FastAPI backend to <strong>Railway (Paid Tier)</strong>. The dashboard was <strong>green</strong>, the deployment was successful, and everything looked perfect. Then I opened the server logs.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1e7e9f8ur5x9zt9koqpp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1e7e9f8ur5x9zt9koqpp.png" alt=" " width="800" height="377"></a></p> <p>I saw a flood of requests for paths I never created. There were .php files hitting a Python app and weird strings like sberchat.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Mar 19 2026 17:56:41 GET /blogs/by/wp-admin/setup-config.php 404 696ms Mar 19 2026 17:59:52 GET /blogs/by/wordpress/wp-admin 404 966ms Mar 19 2026 17:59:52 GET /store/public/by/wordpress 404 990ms Mar 19 2026 17:59:52 GET /posts/by/wordpress/wp-admin/setup-config 404 1s What Was Actually Happening? After the initial panic, I realized these weren't targeted attacks. </code></pre> </div> <p>WordPress &amp; PHP Scanners: Bots scan every public IP constantly. Since I’m running FastAPI (Python), my server returned a 404, and the bot moved on. This is pure background noise.</p> <p>"Sberchat" TDS Probes: These bots are looking for their own phishing kits that might already be installed on compromised servers.</p> <p>Account Enumeration: A crawler was brute-forcing random IDs against my /accounts/public/{id} endpoint. A solid reminder to implement rate limiting using Redis.</p> <p>The Plot Twist: The Invisible Problem<br> While I was investigating these "hackers," I tried to log into my own app using my Mobile Hotspot. That’s when I saw the actual issue in the browser console: ERR_NAME_NOT_RESOLVED.</p> <p>DNS: The Hidden Culprit<br> The Railway dashboard was green. The logs showed the bots were hitting the server fine. But my carrier's DNS had a stale cache entry.</p> <p>The Fix:<br> I switched my active network interface to use Google’s DNS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>resolvectl dns 2 8.8.8.8 8.8.4.4 </code></pre> </div> <p>The Real Security Takeaways:<br> Rate limit any endpoints that accept arbitrary user IDs.</p> <p>Return 404s for unknown paths to keep your tech stack's footprint small.</p> <p>Don't trust your ISP's DNS. Using 8.8.8.8 or 1.1.1.1 is generally more reliable for developers.</p> <p>Originally published on <a href="https://www.causalblogs.com/yeturi-trilochan-sashank/linux-city-stories/thirty-minutes-after-going-public-my-server-logs-looked-like-a-crime-scene" rel="noopener noreferrer">Causalblogs</a></p>