Live-ish field report from the web gutter

t0f.nl presents BotSafari — weird visitors in their natural habitat

Some visitors used the tools. Others tried the windows. Guess which group had worse manners.

t0f.nl is the public safari hut. BotSafari is the working name for the exhibit.

Enter the paddocks View the footprint chart Fresh joke, same swamp
Cached for 300 seconds, because even bots can wait in line.
2.126Total tracksVisits, pageviews, events and useful actions. Basically footprints in the mud.
982Page-ish viewsPageviews where available, visits where the site uses that label.
77Useful actionsUploads, downloads, processing and calculations. Rare adult behaviour.
7Probable bots0,3% of tracked activity. Give or take one raccoon.

Ranger briefing

The bots continue their sacred tradition of asking every site if it is secretly WordPress.
If the bot count looks high: welcome to having a website.
Public report mode: raw IP addresses stay hidden. The animals get nicknames, not passports.
The serious number is not traffic. The serious number is useful actions.

Today's suspicious wisdom

Threat posture: irritating, not impressive.
If this scanner was a burglar, it would shout anyone home into the letterbox.
It came prepared with a dictionary and absolutely no self-awareness.
Threat posture: irritating, not impressive.
Confidence level: this visitor has never read a privacy policy, but has guessed /admin 900 times.

Apache Scanner Zoo

These are the creatures found in Apache access logs. No IPs, no raw log lines, just the mud prints. Each habitat now says whether it is a full domain, the 1de.nl root, or a subfolder.

3.500suspicious pathsKnown probes like .env, wp-login, GraphQL and friends.
1.138404 not foundRequests that knocked on doors that do not exist.
690403 forbiddenRequests that met the bouncer.
3.947bot user-agentsCreatures honest or stupid enough to say bot.

Captured species

The .env Sniffer
env_file 1.689
The Config Goblin
config_secret 664
The WordPress Archaeologist
wordpress_scan 359
The Git Goblin
git_scan 342
The Info.php Curtain Twitcher
info_test_file 158
The Backup File Vulture
backup_dump 95
The Framework Gremlin
framework_probe 56
The Composer Cupboard Rummager
vendor_composer 33
The wp-login Tourist
wp_login 31
The Dot-Dot-Slash Weasel
traversal 29

Per habitat

HabitatSuspicious404403
t0f.nl / BotSafari
full domain complete domain access log 		44 86 2
1de.nl Root
main domain root root only; /whisky, /fileshare and /rembg excluded 		2.056 481 649
Whisky
subfolder on 1de.nl only requests under /whisky 		0 0 0
Fileshare
subfolder on 1de.nl only requests under /fileshare 		0 0 0
Remove BG
subfolder on 1de.nl only requests under /rembg 		0 0 0
HeatSourceCalc
full domain complete domain access log 		1.372 476 1
CurveBox
full domain complete domain access log 		28 95 38

Favourite wrong doors

PathCount
/.git/config49
/.env43
/wp-login.php28
/.env.bak15
/.git/HEAD13
/.env.example12
/api/.env11
/backend/.env11
/app/.env11
/.env.production11

Site paddocks

Each site is treated as an exhibit. Some contain humans. Some contain things with headless browsers and no childhood.

1de.nl Root

main-domain scanner ditch
feeding
The Undefined Creature Tried to look legitimate by using punctuation.
0tracks
0views
0useful
unique
bots
0errors

Quiet as a locked shed: The paddock is empty. The raccoons may be at lunch.

Whisky

oak barrel swamp
feeding
The Clickstream Mongoose Left no referrer and no explanation.
40tracks
28views
0useful
9unique
bots
0errors

Low rumble: A modest day with modest creatures and immodest user-agents.

Fileshare

temporary upload marsh
feeding
The POST Request Woodpecker Tried to look legitimate by using punctuation.
16tracks
16views
0useful
3unique
bots
16errors

Slightly cursed: Slightly haunted, but not possessed.

Remove BG

transparent-background jungle
feeding
The Visitor Who Actually Came For The Tool Has the confidence of a scanner and the charm of a damp invoice.
36tracks
12views
22useful
9unique
bots
0errors

Actual humans detected: The tool did work for someone. This is why we tolerate the raccoons.

HeatSourceCalc

warm spreadsheet savanna
feeding
The Purposeful Clicker Tried to look legitimate by using punctuation.
933tracks
878views
55useful
unique
bots
42errors

Busy but suspicious: A lively day in the mud.

CurveBox

rounded-corner canyon
feeding
The Endpoint Tapper Approached the interface, then pretended it meant to do that.
1.025tracks
1.021views
0useful
0unique
0bots
0errors

Busy but suspicious: Lots of footprints. Not all of them came from creatures with a job.

t0f.nl / BotSafari

this exact exhibit, currently watching itself breathe
feeding
The Refresh-Button Wombat Probably harmless. Definitely annoying.
76tracks
76views
0useful
37unique
7bots
errors

Busy but suspicious: Busy enough to be interesting, weird enough to remain on-brand.

Scanner pressure chart

A practical chart: where does the bot/scanner noise actually hit? Score = suspicious paths + 404 + 403.

This replaces the old footprint chart. It compares habitats by actual scanner noise, so it is easier to see whether the trouble is on a full domain, the 1de.nl root, or only a subfolder.

1de.nl Root main domain root
3.186
HeatSourceCalc full domain
1.849
CurveBox full domain
161
t0f.nl / BotSafari full domain
132
Whisky subfolder on 1de.nl
0
Fileshare subfolder on 1de.nl
0
Remove BG subfolder on 1de.nl
0
Lower score: quiet habitat Higher score: more scanner noise

Known species guide

Not all of these were seen today. They are the usual suspects crawling around the web like they own the place.

The wp-login Tourist

visits every site as if WordPress is a religion and the login page is Mecca.

The .env Sniffer

hopes you left your secrets on the porch like a complete pudding.

The phpMyAdmin Ferret

still believes every server has a forgotten database panel under a loose tile.

The cURL Pigeon

no feathers, no cookies, no shame.

The Headless Chrome Ghost

renders the page, feels nothing, leaves silently like a divorced printer.

The SEO Meerkat

looks important, charges by the month, and keeps sniffing your headings.

The Fake Polite Crawler

says bot in the user-agent like a burglar wearing a name badge.

The Config Goblin

checks for backup files because apparently 2009 never ended.

The JSON Licker

does not understand your site, but has strong opinions about endpoints.

t0f.nl / BotSafari is a public comedy layer over sanitized aggregate stats. It does not expose raw IPs, secret keys, files, or original logs. Generated at 2026-06-26 00:40:26 server time.