fiveo1.com Traffic Analysis (June 2026)
The TL;DR: Your site is either compromised, being used as a botnet C2, or you're running a very sloppy phishing operation. None of these are good.
The Crimson Red Flags
1. Your Traffic is Almost Entirely Fake/Malicious
66.4% of all hits come from Nicaragua β specifically two IPs under tecomunica.com.ni:
Β· teko-253-21 = 39,671 hits (49.68%)
Β· teko-253-22 = 13,349 hits (16.72%)
Combined: 53,020 hits from two IPs. That's not "audience." That's a bot, a scraper, or an attack script. No legitimate site gets half its traffic from two Nicaraguan IPs unless you're running Nicaragua's largest news platform (you're not).
2. The "POT9" Directory is Screaming "Backdoor Shell"
Top URL: /POT9/POT9.php with 6,870 hits (8.6%). Also present:
Β· /POT9/P.php
Β· /POT9/5.php
Β· /POT9/50.php
Β· /POT9/View.php
This naming convention (POT9, P.php, numbered files) is classic web shell/malware naming. Someone is actively using your server as a remote file access tool or spam relay.
3. You're Being Brute-Forced Relentlessly
Referrer stats show:
Β· wp-login.php = 4,292 hits (5.37%)
Β· mail.fiveo1.com/wp-login.php = 852 hits
Β· admin.php = 231 hits
That's credential stuffing. Someone is hammering your WordPress and mail login pages. The 409 Conflict responses (7.61% of all responses β 6,079 hits) suggest authentication failures or lock conflicts from repeated login attempts.
4. Environment Files Are Exposed
Someone requested:
Β· /env/.env (216 hits)
Β· /api/.env (141 hits)
.env files contain database credentials, API keys, and secrets. The fact these were requested 357 times means attackers are actively hunting for your credentials β and the 200 OK responses suggest these files might actually exist and be readable. If true, you're already compromised.
5. You Have a phpinfo File Live
/phpinfo received 158 hits. This exposes your entire PHP configuration, including system paths, loaded modules, and environment variables. It's a reconnaissance gift for attackers. Remove it immediately.
Traffic Pattern Analysis (The "Dead Giveaway")
Metric Value What It Means
Hits per Day (June 3) 13,227 Massive spike β likely a scan or attack launch
Hits per Day (June 4) 18,565 Peak attack day
Hits per Day (June 10-11) 7,415 β 1,034 Sudden drop β either you blocked something or they moved on
Hour 14 (2 PM) 18.47% of all hits Highly concentrated activity β not human browsing
Pages per Visit 2.18 (9,508 pages / 4,362 visits) Extremely low. Bots hitting one endpoint and leaving.
Human behavior doesn't look like this. Real users don't generate 49% of traffic from two IPs. Real users don't hammer /wp-login.php thousands of times.
Content Analysis: What Are You Actually Serving?
Top KBytes = MP4 Videos
Your largest bandwidth consumers are MP4 files in /uploads/videos/:
Β· 429 MB, 385 MB, 361 MB, 291 MB files
Questions you need to answer:
Β· Are these your original videos?
Β· Are you hosting pirated content?
Β· Are these being used as part of a CDN abuse scheme?
The filenames (6a034246061e5.mp4) look auto-generated β suspicious.
Top Entry/Exit Pages = 40% bounce on homepage
/ (homepage) = 40% of entries AND exits. That means most visitors land on your homepage and immediately leave. Not engagement β likely bots checking if the site is alive before attacking.
Security Nightmare Checklist
Issue Severity Evidence
Potential web shell Critical /POT9/POT9.php high usage, naming pattern
Exposed .env files Critical 357 requests, possible 200 OK
phpinfo accessible High 158 requests
WordPress brute force target High 5,000+ wp-login hits
Large video files (abuse?) Medium 400+ MB files
High 409/406 response codes Medium 7.61% + 1.31% = ~9% error rate
Geographic Absurdity
Your content appears to be about:
Β· "California worlds wide distribucion" (misspelled)
Β· Weed products
Β· Pablo Escobar, Karol G, J Balvin (Latin pop culture)
Yet your traffic is 66% Nicaragua, 27% Unknown, only ~3% Commercial (.com). If you're selling California weed products, why is almost zero traffic coming from the US?
Because the traffic isn't real customers β it's attackers from a Nicaraguan hosting provider.
The User Agent Lie
Your top user agent (64.9% of hits):
```
Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Mobile Safari/537.36
```
Chrome 148.0.0.0 does not exist. Current stable Chrome is ~126-128. Version 148 would be years in the future. Attackers spoof user agents to blend in, but they copied a fake version number.
The second agent (11.98%) is meta-externalagent β Facebook's crawler. That's real, but doesn't explain the 49% from Nicaragua.
Brutal Verdict
Your site is almost certainly compromised, or it was built as part of a malicious operation from day one.
There is no benign explanation for:
Β· A directory named /POT9/ receiving thousands of hits to obfuscated PHP files
Β· Two Nicaraguan IPs generating 2/3 of all traffic
Β· Active scanning for .env, phpinfo, and wp-login.php
Β· 9% of responses being errors (409 Conflict = authentication issues)
Β· Video files being served but no legitimate traffic patterns
Possible explanations (ranked by likelihood):
1. You've been hacked β A backdoor shell (POT9.php) is installed, attackers are using your server to proxy traffic, send spam, or host malicious content. The video files might be part of a CDN abuse scheme.
2. You're running a phishing/SEO spam operation β The odd URL structure, misspelled content ("distrabucion"), and Latin American traffic point to a low-effort spam site.
3. You bought "traffic" from a cheap provider β Someone sold you 4,000 "visits" that are just bots from Nicaragua. You wasted your money.
4. You're aware and this is intentional β If so, this review won't matter, but for the record: you're leaving clear forensic evidence.
Immediate Actions (If You Actually Own This Site)
1. TAKE THE SITE OFFLINE β Right now. You cannot trust any file on this server.
2. Check .env and /api/.env β If they exist and contain real credentials, assume everything is compromised. Rotate all keys, passwords, API tokens.
3. Delete /POT9/ entirely β It's malware. Don't "investigate" it on a live server.
4. Remove phpinfo β grep -r "phpinfo" /var/www/ and delete any file containing it.
5. Audit WordPress β Check for unknown admin users, backdoor plugins, and review wp-config.php.
6. Check those MP4 files β Are they yours? If not, someone is using your server as free hosting. If yes, why are they 400+ MB and getting low traffic?
7. Review access logs for the past 3-6 months β See when /POT9/POT9.php was first created. That's your compromise date.
8. Change all hosting control panel passwords β The attackers may have cPanel/Plesk access.
9. Run a rootkit scan β If this is a VPS/dedicated server, the attacker may have installed system-level persistence.
10. Hire an incident response firm β Based on these stats, you're past "DIY cleanup" territory.
Final Shots
Claim in Your Content Reality
"California worlds wide distribucion" You're distributing malware from a Nicaraguan botnet
Weed products for sale You're selling nothing β your "customers" are scripts
Professional website Your site has a web shell and exposed environment files
The most brutal truth: If you own this site legitimately and these stats surprised you, you've already lost. Your server is a zombie in someone else's army. If you built this site for shady purposes, you're amateur β the evidence is embarrassingly obvious.
June 3-4, 2026 (13k and 18k hit days) is likely when an automated attack succeeded. Check what changed on your server those days.