The Zombie Server: How a Dead T-Shirt Store Became a Cyberattack Hub
The Vanishing Store
It started with a simple online t-shirt shop.
TeeFall.com—a small business selling “legendary” printed tees, with an Instagram page (@teetall.com) that hadn’t posted in over a year. On the surface, nothing seemed unusual.
But something was very wrong.
The website disappeared in mid-2023. The owner stopped updating social media. Yet, if you knew where to look, the digital ghost of TeeFall was still very much alive— and it was attacking people.
The Server That Shouldn’t Exist
Deep in DigitalOcean’s New Jersey data center, a forgotten server kept running.
IP address 157.230.4.229—once home to TeeFall.com—was now a hollow shell. No website, no customers… just:
- Open SSH port (22/TCP) running OpenSSH 8.9p1
- Exposed PORTMAP services (111/TCP/UDP)
- A MongoDB instance that was publicly accessible until January 2025
The first clue?
- 9 abuse reports on AbuseIPDB… yet a 0% malicious confidence score
- 59.4% of June’s attack traffic came from its subnet
This wasn’t just an abandoned server.
It had been repurposed.
The Attack Pattern
Our traps caught the aftermath. Here’s the statistic of attack types the attacker was sending:
Interestingly, the attacker was so eager that he fired off over 300,000 requests in just a single workday hour.
The phantom attacker made a critical mistake—they left their bug bounty calling card in the HTTP headers.
The Human Hacker Signature
| Key Field | Observed Value | Significance |
|---|---|---|
| Source IP | 157.230.4.229 (DigitalOcean AS14061) | Known attack subnet (59.4% June 2025 traffic) |
| Source Ports | [36258, 36280, 36318, 36352, 36362, 36388, 36420, 36572] | Dynamic ports indicating manual tool usage |
| User Agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36... | Spoofed Chrome 88 browser on MacOS |
| Detection Text | “Probably Human Attacker Detected” | Behavioral analysis (882ms request intervals) |
| Target Paths | /admin-api/apidocs.yaml, /restapis/assets/doc.json, /apiexplorer | API documentation & developer tool probing |
| Request Headers | X-Bug-Bounty: HackerOne/BugCrowd-mayonaise | Fake bug bounty identifier (HackerOne/BugCrowd impersonation) |
| Response Codes | 404 (All requests) | Failed reconnaissance – target hardening effective |
| Time Pattern | 882ms average between requests | Human typing speed (not automated tools) |
Our traps caught something rare—a manual attacker (not a bot) probing APIs with surgical precision.
The attacker systematically checked for:
API Documentation Leaks
| GET /admin-api/apidocs.yaml |
| GET /restapis/assets/api.json |
| GET /restapis/assets/index.yaml |
Path Traversal Exploits
| GET /servicofotos/..%5C..%5Cwindows%5Csystem32%5Cdrivers%5Cetc%5Chosts;index.html |
Attempted Windows hosts file access via directory traversal (%5C = backslash)
Sensitive File Probing
| GET /-/local/httpd$map.conf |
| GET /-/swagger2openapi-6.2.1.tgz |
Targeted Apache configs and Swagger documentation
Japanese Domain Mimicry
| GET /-/forcise.jp |
| GET /-/nature-guidance.jp |
Masquerading as Japanese domains (possible C2 callback setup)
Bug Bounty Impersonation
| X-Bug-Bounty: HackerOne/BugCrowd-mayonaise |
Fake header to blend in with legitimate researchers
Never seen before
Strange requests from this attacker confirms that he also use fuzzing tools.
Why This Matters
- Not a Botnet: The
X-Bug-Bountyheader suggests a professional pentester or gray-hat hacker - Daytime Activity: Matches the 12PM-6PM attack window (human work hours)
- Cloud-to-Cloud: DigitalOcean → AWS traffic avoids residential IP blocks
Conclusion
The story of TeeFall.com’s zombie server is a reminder that the cloud never forgets. While owners move on, abandoned servers remain online, quietly turning into attack nodes used by manual attackers to probe APIs, test exploits, and blend into legitimate traffic.
If you’ve ever spun up a test instance and forgot it, now is the time to check. One forgotten VM can become someone else’s hacking platform tomorrow.
Clean up your infrastructure. Monitor your instances. Because the next “zombie server” might be yours.
