Strange thing happening.
I have a hidden (v2 onion) apache server running on a machine. Nothing of interest nor sensitive, just for learning and testing purpose.
I have NEVER disclosed its v2 onion address to anybody, nor did I post it, or broadcast it in any way. I am pretty sure the machine itself has not been compromised. It runs a ferm service wich enforces Tails-like iptables: the machine is only accessible from Tor and local network. It also runs a SSH hidden service with stealth authentication.
However, lately, while routinely checking the apache logs, I saw that the hidden website has been regularly crawled every night. The pattern is always the same: all webpages are visited in a few seconds. Headers show a Ubuntu machine, but headers can be forged and I think it’s more probably a bot using a curl script doing its job.
The question is HOW is it possible that the server is being crawled if the address has never been disclosed to anyone? I thought it was mathematically impossible to bruteforce onion addresses? Can a rogue entry node reveal my hidden server onion address? Or worse, its real public IP address? Would a v3 onion also be subject to this kind of behaviour?