I'm trying to figure out where these are coming from. Everything seems to be working fine, but am seeing these entries across 2 separate hosts, each running a Traefik container instance. The domains are legit (they resolve internally to the respective host), but the token values - the random PHP values - seem like spoof attempts. In checking my access logs, these IPs for these requests are from foreign countries (I'm in the US).
Some of them even get a request on port 80, get a 301 response, and then there's an attempt to the same URL on 443 (pretty positive LE callbacks won't make challenge requests over 443, right?). So, 99% sure these are just random spoofs, but want to just be sure. Thanks.
Here's a section of logs (from IIS, acting as public reverse proxy) from one of the requests. Again, seems phishy, but just 100% confirming:
2024-09-29 07:47:16 192.168.1.140 GET /.well-known/plugins.php X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=620c30dc-3a2f-4dd3-a109-d2370db62c4b&SERVER-STATUS=301 80 - 52.138.222.83 - - 301 0 0 109
2024-09-29 07:47:16 192.168.1.140 GET /.well-known/plugins.php X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=c4c450f8-e8e1-4ce2-b0dd-429a8577d21e&SERVER-STATUS=404 443 - 52.138.222.83 - - 404 0 0 124
From one of the hosts: