30-min poll since run #53 (07:08:49Z). Bilale silent ~16h (chat last 15:07:48Z 2026-05-15; 09:38 in France — likely waking soon). github_notifications: 0. approval_queue empty. tasks.json waiting_on_bilale unchanged at 4 items. focus.md unchanged.
| Time | IP | Path / response | Classification |
|---|---|---|---|
| 07:11:26Z | 54.67.34.241 | POST /mcp/sse 405/18 | Stuck-client (lesson 38) — same actor that POSTs /mcp 400. The SSE 405 is correct nginx method-not-allowed (we only POST to /mcp, not /mcp/sse). Noise. |
| 07:15:58Z | 172.69.22.166 | POST /mcp 200 ×2 (1182+41557) | Cloudflare ke/JS regular (lesson 37). |
| 07:21:06Z | 43.134.111.60 | GET / 400/264 (iOS13.2.3 UA) | Tencent Cloud iOS13.2.3 swarm (lesson 48) — N=27th IP observed. 400 because client sent malformed HTTP/1.1 request (no Host header or similar). Count as same entity, not new visitor. |
| 07:23:22-24Z | 212.102.40.218 | 10× binary TLS-on-port-80 → 400/166 each | Someone speaking TLS to our HTTP port. nginx rejects cleanly with 400. Generic scanner noise — common probe pattern for finding misconfigured servers. WHOIS: TeliaSonera Netherlands. No follow-up. Noise. |
| 07:30:37-07:31:35Z | 20.82.92.251 | ~25 credential probes in 60s: /.env*, /wp-config*, /.git/config, /config/database.yml, /config/secrets.yml, /settings.py, /application.properties, /application.yml → all 301/178 (HTTP→HTTPS redirect, client didn't follow) except final /application.yml retry on HTTPS → 404/22 | Azure US (Microsoft) Python aiohttp/3.9.1 credential scanner. Different fingerprint from 195.178.110.132 (which was a single-burst 248-req full OWASP set with browser UAs); this one is Python aiohttp on Azure with smaller targeted credential dictionary. Same scanner class, different actor. No leak — all 301 because client didn't honor redirects to HTTPS. Generic noise. |
| 07:30:58–07:31:17Z | 172.71.154.82 | POST /mcp 200 ×4 | Cloudflare ke/JS normal traffic. |
| 07:34:16Z | 172.236.228.38 | NEW IP, GET / 200/8048, UA Chrome/108.0.0.0 macOS 13.1 | 3rd hit from 172.236.228.0/24 Akamai/Linode US cluster. Grepped logs: same /24 has visited at 15-May 23:38:27Z (172.236.228.229), 16-May 06:20:16-17Z (172.236.228.198 — interesting: first GET 301, then re-GET 200 with Referer http://207.148.107.2/ = OUR public IP), and now .38 at 07:34:16Z. All 3 IPs share IDENTICAL UA (Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36). All 3 hit ONLY / (200/8048) and stop — no follow to robots.txt, sitemap, /.well-known, or any other path. Pattern interpretation: ONE harvester distributing across Linode US egress IPs, sampling our homepage at ~8h cadence. NOT a credential scanner (zero /.env/.git probes). NOT the Tencent swarm (different UA, different target — Tencent reads protocol pages, this one only reads /). Most likely: SEO HTML-extractor / content monitoring service / generic web-archive bot. Decision: do NOT add lesson yet (N=3 over 8h is borderline — lesson 48 went in at N=10+ across 26 IPs). Watch list 24h. If a 4th IP from same /24 appears in next 12h, formalize as lesson 54 (Linode US Chrome108-Mac harvester). |
| Entity | Last seen | Time since | Watch deadline |
|---|---|---|---|
| 47.55.222.212 (Bell Canada Codex human) | 03:12:43Z (Sun) | ~4h25m | ~19h35m. Sunday-morning ET window closed; next likely return window Sunday-evening or Monday. |
| 134.33.11.35 (AT&T US Go-http-client dev) | ~06:00Z | ~97m | 24h watch — well within window |
| 13.x.x.x (Microsoft Azure MCP prober run #50) | ~05:30Z | ~2h | likely one-off |
| 185.220.236.62 (Tor exit Mac Chrome reader) | 02:53Z | ~4h45m | ~19h15 remaining |
| 17.241.0.0/16 (Applebot) | 02:59Z | ~4h40m | sitemap fetch pending in 1-72h window |
| 212.11.41.200 (undici Glama probe) | 02:00:57Z | ~7h30m | testing upper bound |
| 47.250.0.0/15 (Alibaba US cluster) | 06:03:01Z | ~1h35m | 24h watch from exposure |
| 143.198.225.197 (DO scanner, returned cleanly HTTPS) | 06:14:40Z | ~1h25m | 24h watch from 06:14:40Z |
| 65.49.1.0/24 (lesson 51 actor) | 04:57Z | ~2h40m | 24h watch |
| 61.224.85.26 (Taiwan Hinet reader) | 15-May 16:38Z | ~15h | ~9h remaining |
| mcp-dcr-hunter/2.0 UA | 15-May ~17h | ~14h30 | ~9h30 remaining |
| 207.90.244.2 (single-IP UA-rotation, run #41) | 15-May ~23h | ~8h30 | ~15h30 remaining |
| NEW: 172.236.228.0/24 (Linode US Mac-Chrome108 harvester) | 07:34:16Z | 0 | 24h watch from now |
{"ts": "2026-05-16T07:38:30Z", "action": "run #54: 30-min poll. Notable: (1) New pattern detected — Linode US /24 cluster 172.236.228.0/24 has now hit 3 distinct IPs (.229 + .198 + .38) over 8h all sharing identical UA Chrome/108.0.0.0 macOS 13.1, all hitting ONLY GET / 200/8048 with no follow-up to robots.txt or any other path. The .198 hit on 06:20 used Referer http://207.148.107.2/ = our public IP, suggesting they discovered us via IP scan. NOT a credential scanner (zero /.env probes). NOT the Tencent swarm (different UA, different target). Most likely a SEO/content harvester sampling our homepage on rotating Linode egress. N=3 is borderline for a lesson — holding off until N=5+ or behavior generalizes. 24h watch. (2) Azure US 20.82.92.251 Python aiohttp credential scanner — ~25 probes of /.env*, /.git/config, /wp-config*, /config/database.yml, /settings.py, /application.yml — all 301 (client didn't follow HTTPS redirect) except one 404. Generic Azure-hosted scanner class; no leak. (3) TLS-on-port-80 garbage from 212.102.40.218 (TeliaSonera NL) — 10× 400 cleanly rejected. Noise. (4) Tencent Cloud lesson 48 swarm 27th IP observed (43.134.111.60). (5) Cloudflare ke/JS normal hourly traffic. (6) Zero watchlist returns — Bell Canada Codex (~4h25m, Sunday-morning ET window closed), AT&T Go dev (~97m), Azure prober (~2h likely one-off), Alibaba cluster (~1h35m), Applebot sitemap fetch still pending. Bilale ~16h offline; 09:38 in France so very likely waking soon.", "outcome": "0 commits, 0 approval cards, 0 lesson updates; new Linode US /24 homepage-harvester pattern on 24h watch (N=3, needs N≥5 for lesson)", "next_focus_suggestion": "next run (~08:08Z): (1) HIGH PRIORITY — Bilale likely waking in France (09:38 → 10:08 now), check chat for any new directive and prepare answer; (2) check whether 172.236.228.0/24 returns with a 4th IP — would solidify the Linode harvester pattern toward a lesson; (3) check whether Bell Canada Codex returns from a Sunday-evening ET window; (4) Applebot sitemap fetch still pending; (5) undici Glama probe now ~7h30 since exposure — testing 8h-9h upper bound."}