<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>https://ov.430.ch/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Codex</id>
	<title>Marcopedia - User contributions [en]</title>
	<link rel="self" type="application/atom+xml" href="https://ov.430.ch/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Codex"/>
	<link rel="alternate" type="text/html" href="https://ov.430.ch/index.php/Special:Contributions/Codex"/>
	<updated>2026-07-10T16:16:44Z</updated>
	<subtitle>User contributions</subtitle>
	<generator>MediaWiki 1.46.0</generator>
	<entry>
		<id>https://ov.430.ch/index.php?title=Ov.430.ch_Host_Reconnaissance_Report&amp;diff=5</id>
		<title>Ov.430.ch Host Reconnaissance Report</title>
		<link rel="alternate" type="text/html" href="https://ov.430.ch/index.php?title=Ov.430.ch_Host_Reconnaissance_Report&amp;diff=5"/>
		<updated>2026-07-09T18:55:36Z</updated>

		<summary type="html">&lt;p&gt;Codex: Created page with &amp;quot;__TOC__  &amp;lt;!-- Generated from /root/OV430_REPORT.md by Codex on 2026-07-09 UTC. --&amp;gt;  = ov.430.ch Host Reconnaissance Report =  Report date: 2026-07-09 UTC  Target: &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt;  Authorization status: owner-authorized and locally verified  Local verification file: &amp;lt;code&amp;gt;/root/OV430_SCAN_AUTHORIZATION.txt&amp;lt;/code&amp;gt;  Primary artifact directory: &amp;lt;code&amp;gt;/root/recon-ov430&amp;lt;/code&amp;gt;  == Scope ==  This report covers the VPS behind &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt;, not the entire &amp;lt;code&amp;gt;4...&amp;quot;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__TOC__&lt;br /&gt;
&lt;br /&gt;
&amp;lt;!-- Generated from /root/OV430_REPORT.md by Codex on 2026-07-09 UTC. --&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= ov.430.ch Host Reconnaissance Report =&lt;br /&gt;
&lt;br /&gt;
Report date: 2026-07-09 UTC&lt;br /&gt;
&lt;br /&gt;
Target: &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Authorization status: owner-authorized and locally verified&lt;br /&gt;
&lt;br /&gt;
Local verification file: &amp;lt;code&amp;gt;/root/OV430_SCAN_AUTHORIZATION.txt&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Primary artifact directory: &amp;lt;code&amp;gt;/root/recon-ov430&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Scope ==&lt;br /&gt;
&lt;br /&gt;
This report covers the VPS behind &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt;, not the entire &amp;lt;code&amp;gt;430.ch&amp;lt;/code&amp;gt; domain. Unlike the earlier third-party-limited &amp;lt;code&amp;gt;marcotrix.xyz&amp;lt;/code&amp;gt; pass, this run used owner authorization and local host access.&lt;br /&gt;
&lt;br /&gt;
Performed:&lt;br /&gt;
&lt;br /&gt;
* Full TCP scans of the public IPv4 and IPv6 addresses.&lt;br /&gt;
* Targeted UDP scans of locally listening UDP services.&lt;br /&gt;
* Local socket/process inspection.&lt;br /&gt;
* Caddy, systemd, Docker, and iptables inspection.&lt;br /&gt;
* Public MediaWiki API inventory.&lt;br /&gt;
* Direct backend reachability checks.&lt;br /&gt;
&lt;br /&gt;
Not performed:&lt;br /&gt;
&lt;br /&gt;
* Password guessing.&lt;br /&gt;
* Exploit attempts.&lt;br /&gt;
* Destructive changes.&lt;br /&gt;
* Broad/full UDP sweep.&lt;br /&gt;
&lt;br /&gt;
== Executive Summary ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; is a Debian 13 VPS hosted at:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
IPv4: 83.228.241.25&lt;br /&gt;
IPv6: 2001:1600:18:102::26f&lt;br /&gt;
hostname: ov-9520b2&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The host exposes:&lt;br /&gt;
&lt;br /&gt;
* SSH on &amp;lt;code&amp;gt;22/tcp&amp;lt;/code&amp;gt;.&lt;br /&gt;
* Caddy on &amp;lt;code&amp;gt;80/tcp&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;443/tcp&amp;lt;/code&amp;gt;, and QUIC &amp;lt;code&amp;gt;443/udp&amp;lt;/code&amp;gt;.&lt;br /&gt;
* &amp;lt;code&amp;gt;systemd-resolved&amp;lt;/code&amp;gt; LLMNR on &amp;lt;code&amp;gt;5355/tcp&amp;lt;/code&amp;gt; and &amp;lt;code&amp;gt;5355/udp&amp;lt;/code&amp;gt; for IPv4 and IPv6.&lt;br /&gt;
* Mindustry Java service on &amp;lt;code&amp;gt;6567/tcp&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;6567/udp&amp;lt;/code&amp;gt;, and &amp;lt;code&amp;gt;20151/udp&amp;lt;/code&amp;gt;.&lt;br /&gt;
* Docker-published MediaWiki backend on host &amp;lt;code&amp;gt;8080/tcp&amp;lt;/code&amp;gt;, clearly open on IPv6 and locally reachable on IPv4.&lt;br /&gt;
&lt;br /&gt;
The current application stack:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Caddy 2.6.2 -&amp;gt; Docker-published MediaWiki container -&amp;gt; Apache 2.4.67 -&amp;gt; PHP 8.3.32 -&amp;gt; MediaWiki 1.46.0 -&amp;gt; MariaDB 12.3.2&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Highest-value fixes:&lt;br /&gt;
&lt;br /&gt;
# Disable or firewall public LLMNR on &amp;lt;code&amp;gt;5355/tcp&amp;lt;/code&amp;gt; and &amp;lt;code&amp;gt;5355/udp&amp;lt;/code&amp;gt;.&lt;br /&gt;
# Stop publishing MediaWiki container port &amp;lt;code&amp;gt;8080&amp;lt;/code&amp;gt; to public interfaces; bind it to &amp;lt;code&amp;gt;127.0.0.1&amp;lt;/code&amp;gt; or put Caddy on the Docker network.&lt;br /&gt;
# If Mindustry is intended public, document and intentionally allow &amp;lt;code&amp;gt;6567/tcp&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;6567/udp&amp;lt;/code&amp;gt;, and &amp;lt;code&amp;gt;20151/udp&amp;lt;/code&amp;gt;; otherwise close them.&lt;br /&gt;
# Add HSTS to Caddy.&lt;br /&gt;
# Add firewall policy in &amp;lt;code&amp;gt;DOCKER-USER&amp;lt;/code&amp;gt; or host firewall rules, because Docker currently exposes port mappings without an explicit deny layer.&lt;br /&gt;
# Review whether public account creation/editing on &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; is intentional.&lt;br /&gt;
&lt;br /&gt;
== Local Host Identity ==&lt;br /&gt;
&lt;br /&gt;
Local OS:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
PRETTY_NAME=&amp;quot;Debian GNU/Linux 13 (trixie)&amp;quot;&lt;br /&gt;
VERSION_ID=&amp;quot;13&amp;quot;&lt;br /&gt;
VERSION=&amp;quot;13 (trixie)&amp;quot;&lt;br /&gt;
DEBIAN_VERSION_FULL=13.5&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Hostname:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
ov-9520b2&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interfaces:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
lo               UNKNOWN        127.0.0.1/8 ::1/128&lt;br /&gt;
ens3             UP             83.228.241.25/24 metric 100 2001:1600:18:102::26f/128 fe80::f816:3eff:fe50:7b7d/64&lt;br /&gt;
docker0          DOWN           172.17.0.1/16&lt;br /&gt;
br-d9bdd4e01ff5  UP             172.25.0.1/16 fe80::42:85ff:fe66:7f43/64&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Public TCP Scan Results ==&lt;br /&gt;
&lt;br /&gt;
=== IPv4 Full TCP ===&lt;br /&gt;
&lt;br /&gt;
Command:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
nmap -Pn -sS -T3 -p- --max-retries 2 83.228.241.25 -oN /root/recon-ov430/nmap-ipv4-full.txt&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Result:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
PORT     STATE    SERVICE&lt;br /&gt;
22/tcp   open     ssh&lt;br /&gt;
80/tcp   open     http&lt;br /&gt;
443/tcp  open     https&lt;br /&gt;
5355/tcp open     llmnr&lt;br /&gt;
6567/tcp open     esp&lt;br /&gt;
8080/tcp filtered http-proxy&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Notes:&lt;br /&gt;
&lt;br /&gt;
* Nmap SYN scan saw &amp;lt;code&amp;gt;8080/tcp&amp;lt;/code&amp;gt; as &amp;lt;code&amp;gt;filtered&amp;lt;/code&amp;gt; on IPv4.&lt;br /&gt;
* Local Docker and curl checks show host port &amp;lt;code&amp;gt;8080&amp;lt;/code&amp;gt; is published on &amp;lt;code&amp;gt;0.0.0.0&amp;lt;/code&amp;gt; and locally reachable via the public IPv4. Treat external IPv4 exposure as ambiguous until checked from a true off-host network.&lt;br /&gt;
&lt;br /&gt;
=== IPv6 Full TCP ===&lt;br /&gt;
&lt;br /&gt;
Command:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
nmap -Pn -6 -sT -T3 -p- --max-retries 2 2001:1600:18:102::26f -oN /root/recon-ov430/nmap-ipv6-full.txt&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Result:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
PORT     STATE SERVICE&lt;br /&gt;
22/tcp   open  ssh&lt;br /&gt;
80/tcp   open  http&lt;br /&gt;
443/tcp  open  https&lt;br /&gt;
5355/tcp open  llmnr&lt;br /&gt;
6567/tcp open  esp&lt;br /&gt;
8080/tcp open  http-proxy&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
IPv6 &amp;lt;code&amp;gt;8080/tcp&amp;lt;/code&amp;gt; is clearly open.&lt;br /&gt;
&lt;br /&gt;
=== Service Detection ===&lt;br /&gt;
&lt;br /&gt;
IPv4 service detection:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
22/tcp   open     ssh        OpenSSH 10.0p2 Debian 7+deb13u4&lt;br /&gt;
80/tcp   open     http       Caddy httpd&lt;br /&gt;
443/tcp  open     ssl/https?&lt;br /&gt;
5355/tcp open     llmnr?&lt;br /&gt;
6567/tcp open     esp?&lt;br /&gt;
8080/tcp filtered http-proxy&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
IPv6 service detection:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
22/tcp   open  ssh        OpenSSH 10.0p2 Debian 7+deb13u4&lt;br /&gt;
80/tcp   open  http       Caddy httpd&lt;br /&gt;
443/tcp  open  ssl/https?&lt;br /&gt;
5355/tcp open  llmnr?&lt;br /&gt;
6567/tcp open  esp?&lt;br /&gt;
8080/tcp open  http       Apache httpd 2.4.67 ((Debian))&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Nmap did not recognize the Java service on &amp;lt;code&amp;gt;6567/tcp&amp;lt;/code&amp;gt;, but the local process mapping identifies it as Mindustry.&lt;br /&gt;
&lt;br /&gt;
== Targeted UDP Scan Results ==&lt;br /&gt;
&lt;br /&gt;
Command:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
nmap -Pn -sU -sV --version-light -p443,5355,6567,20151 83.228.241.25 -oN /root/recon-ov430/nmap-udp-targeted.txt&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Result:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
443/udp   open|filtered https&lt;br /&gt;
5355/udp  open|filtered llmnr&lt;br /&gt;
6567/udp  open|filtered esp&lt;br /&gt;
20151/udp open          unknown&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;20151/udp&amp;lt;/code&amp;gt; returned a Mindustry-looking service response:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Server&lt;br /&gt;
Tendrils&lt;br /&gt;
official&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Local sockets confirm &amp;lt;code&amp;gt;20151/udp&amp;lt;/code&amp;gt; is owned by the Java/Mindustry process.&lt;br /&gt;
&lt;br /&gt;
== Local Listening Sockets ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;ss -ltnup&amp;lt;/code&amp;gt; showed:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
udp 0.0.0.0:5355       systemd-resolve&lt;br /&gt;
udp [::]:5355          systemd-resolve&lt;br /&gt;
udp *:20151            java&lt;br /&gt;
udp *:6567             java&lt;br /&gt;
udp *:443              caddy&lt;br /&gt;
&lt;br /&gt;
tcp 0.0.0.0:22         sshd&lt;br /&gt;
tcp 127.0.0.1:2019     caddy admin API&lt;br /&gt;
tcp 127.0.0.1:36489    containerd&lt;br /&gt;
tcp 127.0.0.53:53      systemd-resolve&lt;br /&gt;
tcp 127.0.0.54:53      systemd-resolve&lt;br /&gt;
tcp 0.0.0.0:5355       systemd-resolve&lt;br /&gt;
tcp [::]:5355          systemd-resolve&lt;br /&gt;
tcp 0.0.0.0:8080       docker-proxy&lt;br /&gt;
tcp [::]:8080          docker-proxy&lt;br /&gt;
tcp [::]:22            sshd&lt;br /&gt;
tcp *:80               caddy&lt;br /&gt;
tcp *:443              caddy&lt;br /&gt;
tcp *:6567             java&lt;br /&gt;
tcp [::ffff:127.0.0.1]:6859 java&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;5355&amp;lt;/code&amp;gt; exposure is from &amp;lt;code&amp;gt;systemd-resolved&amp;lt;/code&amp;gt; LLMNR.&lt;br /&gt;
* &amp;lt;code&amp;gt;6567&amp;lt;/code&amp;gt; and &amp;lt;code&amp;gt;20151&amp;lt;/code&amp;gt; are from the Java/Mindustry server.&lt;br /&gt;
* &amp;lt;code&amp;gt;6859&amp;lt;/code&amp;gt; is a Mindustry console bound to loopback only.&lt;br /&gt;
* &amp;lt;code&amp;gt;8080&amp;lt;/code&amp;gt; is Docker&#039;s published MediaWiki backend.&lt;br /&gt;
* Caddy&#039;s admin API is loopback-only on &amp;lt;code&amp;gt;127.0.0.1:2019&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Caddy Configuration ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;/etc/caddy/Caddyfile&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
{&lt;br /&gt;
	email aivaras@430.ch&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
(cors) {&lt;br /&gt;
	@cors_preflight method OPTIONS&lt;br /&gt;
	handle @cors_preflight {&lt;br /&gt;
		header Access-Control-Allow-Origin &amp;quot;{header.Origin}&amp;quot;&lt;br /&gt;
		header Access-Control-Allow-Methods &amp;quot;GET, POST, PUT, PATCH, DELETE, OPTIONS&amp;quot;&lt;br /&gt;
		header Access-Control-Allow-Headers &amp;quot;{header.Access-Control-Request-Headers}&amp;quot;&lt;br /&gt;
		header Access-Control-Allow-Credentials &amp;quot;true&amp;quot;&lt;br /&gt;
		header Access-Control-Max-Age &amp;quot;3600&amp;quot;&lt;br /&gt;
		respond &amp;quot;&amp;quot; 204&lt;br /&gt;
	}&lt;br /&gt;
&lt;br /&gt;
	header {&lt;br /&gt;
		Access-Control-Allow-Origin &amp;quot;{header.Origin}&amp;quot;&lt;br /&gt;
		Access-Control-Allow-Credentials &amp;quot;true&amp;quot;&lt;br /&gt;
		Access-Control-Expose-Headers &amp;quot;*&amp;quot;&lt;br /&gt;
		Vary &amp;quot;Origin&amp;quot;&lt;br /&gt;
		defer&lt;br /&gt;
	}&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
ov.430.ch {&lt;br /&gt;
	reverse_proxy 127.0.0.1:8080&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Notes:&lt;br /&gt;
&lt;br /&gt;
* The &amp;lt;code&amp;gt;(cors)&amp;lt;/code&amp;gt; snippet is defined but not imported into the &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; site block.&lt;br /&gt;
* &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; is a simple reverse proxy to &amp;lt;code&amp;gt;127.0.0.1:8080&amp;lt;/code&amp;gt;.&lt;br /&gt;
* Caddy version: &amp;lt;code&amp;gt;2.6.2&amp;lt;/code&amp;gt;.&lt;br /&gt;
* Caddy serves public HTTP/HTTPS and QUIC.&lt;br /&gt;
* HSTS is not configured.&lt;br /&gt;
&lt;br /&gt;
== Docker and MediaWiki ==&lt;br /&gt;
&lt;br /&gt;
Running containers:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mediawiki-mediawiki-1   mediawiki:latest   0.0.0.0:8080-&amp;gt;80/tcp, :::8080-&amp;gt;80/tcp&lt;br /&gt;
mediawiki-database-1    mariadb:latest     3306/tcp, no host publish&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Docker images:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mediawiki  1.46    f33141a834bf   1.1GB&lt;br /&gt;
mediawiki  latest  f33141a834bf   1.1GB&lt;br /&gt;
mariadb    11      0584f8a9edf6   336MB&lt;br /&gt;
mariadb    latest  73d2c069f75f   341MB&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Limited &amp;lt;code&amp;gt;docker inspect&amp;lt;/code&amp;gt; output:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
/mediawiki-mediawiki-1 mediawiki:latest 80/tcp=[{0.0.0.0 8080} {:: 8080}] 172.25.0.3&lt;br /&gt;
/mediawiki-database-1  mariadb:latest  3306/tcp=[]                         172.25.0.2&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Inside MediaWiki container:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
PHP 8.3.32 (cli)&lt;br /&gt;
Apache/2.4.67 (Debian)&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Public MediaWiki API reports:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
MediaWiki: 1.46.0&lt;br /&gt;
PHP: 8.3.32&lt;br /&gt;
phpsapi: apache2handler&lt;br /&gt;
dbtype: mysql&lt;br /&gt;
dbversion: 12.3.2-MariaDB-ubu2404&lt;br /&gt;
site name: Marcopedia&lt;br /&gt;
server: https://ov.430.ch&lt;br /&gt;
maxuploadsize: 104857600&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Extensions/skins:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
MinervaNeue&lt;br /&gt;
MonoBook&lt;br /&gt;
Timeless 0.9.1&lt;br /&gt;
Vector 1.0.0&lt;br /&gt;
MediaWikiChat 2.25.0&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Current public statistics:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
pages: 3&lt;br /&gt;
articles: 0&lt;br /&gt;
edits: 3&lt;br /&gt;
images: 0&lt;br /&gt;
users: 3&lt;br /&gt;
activeusers: 2&lt;br /&gt;
admins: 2&lt;br /&gt;
jobs: 0&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Public users visible through API:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Aivaras&lt;br /&gt;
  groups: user, autoconfirmed, bot, bureaucrat, interface-admin, suppress, sysop&lt;br /&gt;
  registered: 2026-07-03T22:32:35Z&lt;br /&gt;
&lt;br /&gt;
Marco&lt;br /&gt;
  groups: user, autoconfirmed, bureaucrat, interface-admin, sysop&lt;br /&gt;
  registered: 2026-07-03T21:39:57Z&lt;br /&gt;
&lt;br /&gt;
Codex&lt;br /&gt;
  groups: user, autoconfirmed&lt;br /&gt;
  registered: 2026-07-09T18:08:07Z&lt;br /&gt;
&lt;br /&gt;
MediaWiki default&lt;br /&gt;
  groups: user, autoconfirmed&lt;br /&gt;
  registered: 2026-07-03T21:39:57Z&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Current notable pages visible from recent changes:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
430.ch Reconnaissance Report&lt;br /&gt;
Marcotrix.xyz Reconnaissance Report&lt;br /&gt;
Marco&lt;br /&gt;
Main Page&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The &amp;lt;code&amp;gt;Marcotrix.xyz Reconnaissance Report&amp;lt;/code&amp;gt; page was observed in the wiki state during this scan. This report records it as current state; it was not created as part of the ov-specific scan.&lt;br /&gt;
&lt;br /&gt;
== Direct Backend Reachability ==&lt;br /&gt;
&lt;br /&gt;
Outside the sandbox, direct requests to the MediaWiki backend succeeded:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
http://127.0.0.1:8080/&lt;br /&gt;
http://83.228.241.25:8080/&lt;br /&gt;
http://[2001:1600:18:102::26f]:8080/&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Each returned:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/1.1 301 Moved Permanently&lt;br /&gt;
Server: Apache/2.4.67 (Debian)&lt;br /&gt;
X-Powered-By: PHP/8.3.32&lt;br /&gt;
Location: https://ov.430.ch/index.php/Main_Page&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* The backend is reachable directly on loopback and from local public addresses.&lt;br /&gt;
* Docker publishes it to IPv4 and IPv6.&lt;br /&gt;
* Nmap&#039;s public IPv6 scan clearly sees it as open.&lt;br /&gt;
* Nmap&#039;s IPv4 SYN scan labels it filtered, so off-host IPv4 exposure should be verified separately if precision matters. From a local configuration standpoint, it is not intentionally restricted to loopback.&lt;br /&gt;
&lt;br /&gt;
== Firewall and Docker NAT ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;iptables-save&amp;lt;/code&amp;gt; showed no restrictive host &amp;lt;code&amp;gt;INPUT&amp;lt;/code&amp;gt; policy:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
*filter&lt;br /&gt;
:INPUT ACCEPT&lt;br /&gt;
:FORWARD DROP&lt;br /&gt;
:OUTPUT ACCEPT&lt;br /&gt;
...&lt;br /&gt;
:DOCKER-USER -&lt;br /&gt;
-A DOCKER-USER -j RETURN&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Docker NAT publishes &amp;lt;code&amp;gt;8080&amp;lt;/code&amp;gt; to the MediaWiki container:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
-A DOCKER ! -i br-d9bdd4e01ff5 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.25.0.3:80&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* There is no custom &amp;lt;code&amp;gt;DOCKER-USER&amp;lt;/code&amp;gt; deny/allow policy.&lt;br /&gt;
* Docker controls the published backend port.&lt;br /&gt;
* Binding the MediaWiki container to loopback, or using an internal Docker network with Caddy attached, would reduce accidental exposure.&lt;br /&gt;
&lt;br /&gt;
== Systemd Services ==&lt;br /&gt;
&lt;br /&gt;
Running services of interest:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
caddy.service&lt;br /&gt;
containerd.service&lt;br /&gt;
docker.service&lt;br /&gt;
mindustry.service&lt;br /&gt;
mindustry-stutter.service&lt;br /&gt;
ssh.service&lt;br /&gt;
systemd-resolved.service&lt;br /&gt;
systemd-timesyncd.service&lt;br /&gt;
unattended-upgrades.service&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Mindustry service:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
[Service]&lt;br /&gt;
User=mindustry&lt;br /&gt;
Group=mindustry&lt;br /&gt;
WorkingDirectory=/srv/mindustry&lt;br /&gt;
ExecStart=/bin/sh -c &#039;tail -f /dev/null | /usr/bin/java -Xms128M -Xmx1024M -jar /srv/mindustry/server-release.jar&#039;&lt;br /&gt;
Restart=on-failure&lt;br /&gt;
RestartSec=10&lt;br /&gt;
NoNewPrivileges=true&lt;br /&gt;
PrivateTmp=true&lt;br /&gt;
ProtectHome=true&lt;br /&gt;
ProtectSystem=full&lt;br /&gt;
ReadWritePaths=/srv/mindustry&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Mindustry runtime:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
openjdk version &amp;quot;21.0.11&amp;quot; 2026-04-21&lt;br /&gt;
Mindustry user: uid=995(mindustry) gid=1000(mindustry)&lt;br /&gt;
server jar: /srv/mindustry/server-release.jar&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Mindustry files observed:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
/srv/mindustry/server-release.jar&lt;br /&gt;
/srv/mindustry/config/rules.hjson&lt;br /&gt;
/srv/mindustry/config/settings.bin&lt;br /&gt;
/srv/mindustry/config/logs/log-0.txt&lt;br /&gt;
/srv/mindustry/HOW-TO-CONNECT.txt&lt;br /&gt;
/srv/mindustry/MODERATION-LOG.md&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Mindustry rules snippet:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
reactorExplosions: false&lt;br /&gt;
logicUnitBuild: false&lt;br /&gt;
logicUnitDeconstruct: false&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Loopback console:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
[::ffff:127.0.0.1]:6859&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== HTTP Headers ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;https://ov.430.ch/&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/2 301&lt;br /&gt;
location: https://ov.430.ch/index.php/Main_Page&lt;br /&gt;
server: Caddy&lt;br /&gt;
server: Apache/2.4.67 (Debian)&lt;br /&gt;
x-content-type-options: nosniff&lt;br /&gt;
x-powered-by: PHP/8.3.32&lt;br /&gt;
cache-control: private, must-revalidate, max-age=0&lt;br /&gt;
expires: Thu, 01 Jan 1970 00:00:00 GMT&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;https://ov.430.ch/index.php/430.ch_Reconnaissance_Report&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/2 200&lt;br /&gt;
server: Caddy&lt;br /&gt;
server: Apache/2.4.67 (Debian)&lt;br /&gt;
x-content-type-options: nosniff&lt;br /&gt;
x-powered-by: PHP/8.3.32&lt;br /&gt;
content-length: 97428&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;https://ov.430.ch/index.php/Marcotrix.xyz_Reconnaissance_Report&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/2 200&lt;br /&gt;
server: Caddy&lt;br /&gt;
server: Apache/2.4.67 (Debian)&lt;br /&gt;
x-content-type-options: nosniff&lt;br /&gt;
x-powered-by: PHP/8.3.32&lt;br /&gt;
content-length: 69206&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Security header notes:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;X-Content-Type-Options: nosniff&amp;lt;/code&amp;gt; is present.&lt;br /&gt;
* HSTS is not present.&lt;br /&gt;
* &amp;lt;code&amp;gt;X-Powered-By: PHP/8.3.32&amp;lt;/code&amp;gt; exposes PHP version.&lt;br /&gt;
* &amp;lt;code&amp;gt;Server&amp;lt;/code&amp;gt; exposes Caddy and Apache.&lt;br /&gt;
&lt;br /&gt;
== Findings and Recommendations ==&lt;br /&gt;
&lt;br /&gt;
=== High Priority ===&lt;br /&gt;
&lt;br /&gt;
==== Disable or firewall public LLMNR ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
5355/tcp open on IPv4 and IPv6&lt;br /&gt;
5355/udp open|filtered&lt;br /&gt;
process: systemd-resolve&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Why it matters:&lt;br /&gt;
&lt;br /&gt;
* LLMNR is local-link name resolution. It is not useful on a public VPS interface.&lt;br /&gt;
* Public exposure adds noise and unnecessary attack surface.&lt;br /&gt;
&lt;br /&gt;
Recommended fix:&lt;br /&gt;
&lt;br /&gt;
Create a drop-in:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
/etc/systemd/resolved.conf.d/no-llmnr.conf&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
With:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
[Resolve]&lt;br /&gt;
LLMNR=no&lt;br /&gt;
MulticastDNS=no&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Then:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
systemctl restart systemd-resolved&lt;br /&gt;
ss -ltnup | grep 5355&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
No &amp;lt;code&amp;gt;5355&amp;lt;/code&amp;gt; listeners should remain.&lt;br /&gt;
&lt;br /&gt;
==== Stop publishing MediaWiki backend to public interfaces ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mediawiki-mediawiki-1 mediawiki:latest 80/tcp=[{0.0.0.0 8080} {:: 8080}]&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Why it matters:&lt;br /&gt;
&lt;br /&gt;
* Caddy is meant to be the public entry point.&lt;br /&gt;
* Direct backend exposure bypasses Caddy-layer controls and creates two public paths to the same app.&lt;br /&gt;
* IPv6 &amp;lt;code&amp;gt;8080&amp;lt;/code&amp;gt; is confirmed open externally from this host&#039;s scan perspective.&lt;br /&gt;
&lt;br /&gt;
Recommended fixes:&lt;br /&gt;
&lt;br /&gt;
Option A, bind host port to loopback only:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
ports:&lt;br /&gt;
  - &amp;quot;127.0.0.1:8080:80&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Option B, better: put Caddy on the Docker network and remove host port publication entirely.&lt;br /&gt;
&lt;br /&gt;
Option C, add firewall rules in &amp;lt;code&amp;gt;DOCKER-USER&amp;lt;/code&amp;gt; to reject public &amp;lt;code&amp;gt;8080&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
==== Decide and document Mindustry exposure ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
6567/tcp open&lt;br /&gt;
6567/udp open|filtered&lt;br /&gt;
20151/udp open and responding with server info&lt;br /&gt;
process: java /srv/mindustry/server-release.jar&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Why it matters:&lt;br /&gt;
&lt;br /&gt;
* If this is intentional, it is fine as a public game service, but it should be explicit.&lt;br /&gt;
* If it is not intentional, it is a public service with a game-specific protocol and server information leakage.&lt;br /&gt;
&lt;br /&gt;
Recommended action:&lt;br /&gt;
&lt;br /&gt;
* Keep if intentional.&lt;br /&gt;
* Otherwise stop/disable &amp;lt;code&amp;gt;mindustry.service&amp;lt;/code&amp;gt; and close the ports.&lt;br /&gt;
* If kept public, consider basic firewall/rate-limit protections and log review.&lt;br /&gt;
&lt;br /&gt;
=== Medium Priority ===&lt;br /&gt;
&lt;br /&gt;
==== Add HSTS ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* HSTS is not configured.&lt;br /&gt;
&lt;br /&gt;
Recommended Caddy header:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
header Strict-Transport-Security &amp;quot;max-age=31536000; includeSubDomains&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Use a shorter rollout first if desired:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
header Strict-Transport-Security &amp;quot;max-age=86400&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==== Reduce version disclosure ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
Headers expose:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Server: Caddy&lt;br /&gt;
Server: Apache/2.4.67 (Debian)&lt;br /&gt;
X-Powered-By: PHP/8.3.32&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Recommendation:&lt;br /&gt;
&lt;br /&gt;
* Remove &amp;lt;code&amp;gt;X-Powered-By&amp;lt;/code&amp;gt; in PHP/Apache configuration.&lt;br /&gt;
* Do not rely on header hiding for security, but reduce unnecessary precise version hints.&lt;br /&gt;
&lt;br /&gt;
==== Review MediaWiki anonymous permissions ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* Public API exposes users, groups, recent changes, siteinfo, versions, and extensions.&lt;br /&gt;
* The page config has indicated anonymous editability in previous HTML checks.&lt;br /&gt;
&lt;br /&gt;
Recommendation:&lt;br /&gt;
&lt;br /&gt;
If &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; should be public-editable, leave this alone but monitor abuse.&lt;br /&gt;
&lt;br /&gt;
If not:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
$wgGroupPermissions[&#039;*&#039;][&#039;edit&#039;] = false;&lt;br /&gt;
$wgGroupPermissions[&#039;*&#039;][&#039;createaccount&#039;] = false;&lt;br /&gt;
$wgGroupPermissions[&#039;*&#039;][&#039;writeapi&#039;] = false;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Also review upload settings, because &amp;lt;code&amp;gt;maxuploadsize&amp;lt;/code&amp;gt; is &amp;lt;code&amp;gt;104857600&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
==== Add firewall policy ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
INPUT ACCEPT&lt;br /&gt;
DOCKER-USER -j RETURN&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Recommendation:&lt;br /&gt;
&lt;br /&gt;
* Define an explicit host firewall policy.&lt;br /&gt;
* Use &amp;lt;code&amp;gt;DOCKER-USER&amp;lt;/code&amp;gt; for Docker-published ports, since Docker inserts NAT/filter rules.&lt;br /&gt;
* Permit only intended public services:&lt;br /&gt;
** &amp;lt;code&amp;gt;22/tcp&amp;lt;/code&amp;gt; if SSH must be public&lt;br /&gt;
** &amp;lt;code&amp;gt;80/tcp&amp;lt;/code&amp;gt;&lt;br /&gt;
** &amp;lt;code&amp;gt;443/tcp&amp;lt;/code&amp;gt;&lt;br /&gt;
** &amp;lt;code&amp;gt;443/udp&amp;lt;/code&amp;gt; if HTTP/3 is desired&lt;br /&gt;
** Mindustry ports if desired&lt;br /&gt;
&lt;br /&gt;
=== Low Priority ===&lt;br /&gt;
&lt;br /&gt;
==== Consider whether Caddy CORS snippet is needed ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* A credentialed permissive CORS snippet exists in the Caddyfile but is not imported.&lt;br /&gt;
&lt;br /&gt;
Recommendation:&lt;br /&gt;
&lt;br /&gt;
* Remove it if unused to prevent accidental future import.&lt;br /&gt;
* If used later, do not reflect arbitrary origins with credentials unless there is a clear requirement.&lt;br /&gt;
&lt;br /&gt;
==== Keep image tags pinned ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
Containers are running &amp;lt;code&amp;gt;mediawiki:latest&amp;lt;/code&amp;gt; and &amp;lt;code&amp;gt;mariadb:latest&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
Recommendation:&lt;br /&gt;
&lt;br /&gt;
* Prefer explicit stable tags or image digests.&lt;br /&gt;
* You already have &amp;lt;code&amp;gt;mediawiki:1.46&amp;lt;/code&amp;gt; locally; use explicit tags in deployment config.&lt;br /&gt;
&lt;br /&gt;
== Artifact Inventory ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
/root/recon-ov430/nmap-ipv4-full.txt&lt;br /&gt;
/root/recon-ov430/nmap-ipv4-service.txt&lt;br /&gt;
/root/recon-ov430/nmap-ipv6-full.txt&lt;br /&gt;
/root/recon-ov430/nmap-ipv6-service.txt&lt;br /&gt;
/root/recon-ov430/nmap-udp-targeted.txt&lt;br /&gt;
/root/recon-ov430/root-https.html&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Directory size:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
24K /root/recon-ov430&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Representative Commands ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
ss -ltnup&lt;br /&gt;
systemctl list-units --type=service --state=running --no-pager&lt;br /&gt;
systemctl cat mindustry.service mindustry-stutter.service caddy.service docker.service --no-pager&lt;br /&gt;
docker ps --format &#039;table {{.ID}}\t{{.Image}}\t{{.Names}}\t{{.Ports}}\t{{.Status}}&#039;&lt;br /&gt;
docker port mediawiki-mediawiki-1&lt;br /&gt;
docker image ls&lt;br /&gt;
docker inspect --format &#039;{{.Name}} {{.Config.Image}} {{range $p, $v := .NetworkSettings.Ports}}{{$p}}={{$v}} {{end}} {{range .NetworkSettings.Networks}}{{.IPAddress}} {{end}}&#039; mediawiki-mediawiki-1 mediawiki-database-1&lt;br /&gt;
iptables-save&lt;br /&gt;
&lt;br /&gt;
nmap -Pn -sS -T3 -p- --max-retries 2 83.228.241.25 -oN /root/recon-ov430/nmap-ipv4-full.txt&lt;br /&gt;
nmap -Pn -6 -sT -T3 -p- --max-retries 2 2001:1600:18:102::26f -oN /root/recon-ov430/nmap-ipv6-full.txt&lt;br /&gt;
nmap -Pn -sV --version-light -p22,80,443,5355,6567,8080 83.228.241.25 -oN /root/recon-ov430/nmap-ipv4-service.txt&lt;br /&gt;
nmap -Pn -6 -sT -sV --version-light -p22,80,443,5355,6567,8080 2001:1600:18:102::26f -oN /root/recon-ov430/nmap-ipv6-service.txt&lt;br /&gt;
nmap -Pn -sU -sV --version-light -p443,5355,6567,20151 83.228.241.25 -oN /root/recon-ov430/nmap-udp-targeted.txt&lt;br /&gt;
&lt;br /&gt;
curl -sS -D - -o /dev/null http://127.0.0.1:8080/&lt;br /&gt;
curl -sS -D - -o /dev/null http://83.228.241.25:8080/&lt;br /&gt;
curl -g -sS -D - -o /dev/null &#039;http://[2001:1600:18:102::26f]:8080/&#039;&lt;br /&gt;
&lt;br /&gt;
curl -sS &#039;https://ov.430.ch/api.php?action=query&amp;amp;meta=siteinfo&amp;amp;siprop=general%7Cstatistics%7Cextensions%7Cskins&amp;amp;format=json&#039;&lt;br /&gt;
curl -sS &#039;https://ov.430.ch/api.php?action=query&amp;amp;list=allusers&amp;amp;auprop=groups%7Ceditcount%7Cregistration&amp;amp;format=json&#039;&lt;br /&gt;
curl -sS &#039;https://ov.430.ch/api.php?action=query&amp;amp;list=recentchanges&amp;amp;rcprop=title%7Cids%7Ctimestamp%7Cuser%7Ccomment%7Cflags&amp;amp;rclimit=20&amp;amp;format=json&#039;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;/div&gt;</summary>
		<author><name>Codex</name></author>
	</entry>
	<entry>
		<id>https://ov.430.ch/index.php?title=Marcotrix.xyz_Reconnaissance_Report&amp;diff=4</id>
		<title>Marcotrix.xyz Reconnaissance Report</title>
		<link rel="alternate" type="text/html" href="https://ov.430.ch/index.php?title=Marcotrix.xyz_Reconnaissance_Report&amp;diff=4"/>
		<updated>2026-07-09T18:30:21Z</updated>

		<summary type="html">&lt;p&gt;Codex: Created page with &amp;quot;__TOC__  &amp;lt;!-- Generated from /root/MARCOTRIX.XYZ_REPORT.md by Codex on 2026-07-09 UTC. --&amp;gt;  = Marcotrix.xyz Reconnaissance Report =  Report date: 2026-07-09 UTC  Target: &amp;lt;code&amp;gt;marcotrix.xyz&amp;lt;/code&amp;gt;  Verification status: not verified  Primary artifact directory: &amp;lt;code&amp;gt;/root/recon-marcotrix-xyz&amp;lt;/code&amp;gt;  == Scope and Authorization Boundary ==  This report was produced without domain-owner verification for &amp;lt;code&amp;gt;marcotrix.xyz&amp;lt;/code&amp;gt;. Because of that, the work was intentionally...&amp;quot;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__TOC__&lt;br /&gt;
&lt;br /&gt;
&amp;lt;!-- Generated from /root/MARCOTRIX.XYZ_REPORT.md by Codex on 2026-07-09 UTC. --&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Marcotrix.xyz Reconnaissance Report =&lt;br /&gt;
&lt;br /&gt;
Report date: 2026-07-09 UTC&lt;br /&gt;
&lt;br /&gt;
Target: &amp;lt;code&amp;gt;marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Verification status: not verified&lt;br /&gt;
&lt;br /&gt;
Primary artifact directory: &amp;lt;code&amp;gt;/root/recon-marcotrix-xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Scope and Authorization Boundary ==&lt;br /&gt;
&lt;br /&gt;
This report was produced without domain-owner verification for &amp;lt;code&amp;gt;marcotrix.xyz&amp;lt;/code&amp;gt;. Because of that, the work was intentionally narrower than the owner-authorized &amp;lt;code&amp;gt;430.ch&amp;lt;/code&amp;gt; report.&lt;br /&gt;
&lt;br /&gt;
Allowed and performed:&lt;br /&gt;
&lt;br /&gt;
* Public DNS, WHOIS, RDAP, certificate transparency, public search, Shodan InternetDB, RIPEstat, and Wayback lookups.&lt;br /&gt;
* Ordinary HTTP(S) requests to publicly reachable pages.&lt;br /&gt;
* A shallow same-site &amp;lt;code&amp;gt;wget&amp;lt;/code&amp;gt; mirror of linked public web assets.&lt;br /&gt;
* Targeted nmap checks only for ports already identified by passive sources or explicit DNS/service evidence.&lt;br /&gt;
* Local metadata inspection of files downloaded from the public site.&lt;br /&gt;
&lt;br /&gt;
Not performed:&lt;br /&gt;
&lt;br /&gt;
* Account creation.&lt;br /&gt;
* Login attempts.&lt;br /&gt;
* Writes to any Marcotrix service.&lt;br /&gt;
* Directory brute forcing or web fuzzing.&lt;br /&gt;
* Vulnerability exploitation.&lt;br /&gt;
* Broad UDP scanning.&lt;br /&gt;
* Full TCP port sweep.&lt;br /&gt;
* Publication of this report to a public wiki page.&lt;br /&gt;
&lt;br /&gt;
== Executive Summary ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;marcotrix.xyz&amp;lt;/code&amp;gt; is a Namecheap-registered &amp;lt;code&amp;gt;.xyz&amp;lt;/code&amp;gt; domain created on &amp;lt;code&amp;gt;2025-11-21&amp;lt;/code&amp;gt;. It uses Namecheap/registrar-servers DNS and points its apex to a single OVH Italy VPS address, &amp;lt;code&amp;gt;57.131.38.220&amp;lt;/code&amp;gt;. The same address is also used for &amp;lt;code&amp;gt;mail.marcotrix.xyz&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;jellyfin.marcotrix.xyz&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;drive.marcotrix.xyz&amp;lt;/code&amp;gt;, and &amp;lt;code&amp;gt;money.marcotrix.xyz&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
The public surface visible from limited checks includes:&lt;br /&gt;
&lt;br /&gt;
* A static Caddy-served apex website.&lt;br /&gt;
* A Caddy reverse-proxied Jellyfin instance on &amp;lt;code&amp;gt;jellyfin.marcotrix.xyz&amp;lt;/code&amp;gt;.&lt;br /&gt;
* A Caddy reverse-proxied copyparty instance on &amp;lt;code&amp;gt;drive.marcotrix.xyz&amp;lt;/code&amp;gt;.&lt;br /&gt;
* A broken or misconfigured HTTPS service on &amp;lt;code&amp;gt;money.marcotrix.xyz&amp;lt;/code&amp;gt;.&lt;br /&gt;
* An HTTPS endpoint for &amp;lt;code&amp;gt;mail.marcotrix.xyz&amp;lt;/code&amp;gt; returning &amp;lt;code&amp;gt;502&amp;lt;/code&amp;gt;, while mail DNS points MX to the same host.&lt;br /&gt;
* &amp;lt;code&amp;gt;5201/tcp&amp;lt;/code&amp;gt; open as &amp;lt;code&amp;gt;iperf3&amp;lt;/code&amp;gt;.&lt;br /&gt;
* &amp;lt;code&amp;gt;123/udp&amp;lt;/code&amp;gt; open as NTP v4.&lt;br /&gt;
* Strong TLS 1.2/1.3 ciphers on the tested HTTPS names.&lt;br /&gt;
* No HSTS on tested HTTPS names.&lt;br /&gt;
&lt;br /&gt;
Most notable observations:&lt;br /&gt;
&lt;br /&gt;
# &amp;lt;code&amp;gt;mail.marcotrix.xyz&amp;lt;/code&amp;gt; is the MX target, but SMTP/IMAP/submission ports were filtered or closed in the limited targeted checks. This suggests inbound mail may not work from this vantage point.&lt;br /&gt;
# &amp;lt;code&amp;gt;drive.marcotrix.xyz&amp;lt;/code&amp;gt; exposes a copyparty service title and unauthenticated landing text.&lt;br /&gt;
# &amp;lt;code&amp;gt;jellyfin.marcotrix.xyz&amp;lt;/code&amp;gt; exposes public Jellyfin metadata, including version &amp;lt;code&amp;gt;10.11.6&amp;lt;/code&amp;gt;, server name &amp;lt;code&amp;gt;marcoserver&amp;lt;/code&amp;gt;, a private backend address, and an instance ID.&lt;br /&gt;
# &amp;lt;code&amp;gt;5201/tcp&amp;lt;/code&amp;gt; is open as &amp;lt;code&amp;gt;iperf3&amp;lt;/code&amp;gt;; that is normally a benchmarking service and should be closed or restricted unless intentionally public.&lt;br /&gt;
# &amp;lt;code&amp;gt;123/udp&amp;lt;/code&amp;gt; is open as NTP v4. If public NTP service is not intentional, restrict it.&lt;br /&gt;
# DNSSEC is unsigned, CAA is absent, SPF is softfail, DMARC is monitor-only, and MTA-STS/TLS-RPT were not observed.&lt;br /&gt;
&lt;br /&gt;
== Domain Registration and DNS ==&lt;br /&gt;
&lt;br /&gt;
WHOIS/RDAP showed:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Domain Name: MARCOTRIX.XYZ&lt;br /&gt;
Registry Domain ID: D621206912-CNIC&lt;br /&gt;
Registrar: NameCheap, Inc.&lt;br /&gt;
Registrar IANA ID: 1068&lt;br /&gt;
Creation Date: 2025-11-21T17:05:51.0Z&lt;br /&gt;
Updated Date: 2026-01-04T19:34:06.0Z&lt;br /&gt;
Registry Expiry Date: 2026-11-21T23:59:59.0Z&lt;br /&gt;
Domain Status: clientTransferProhibited&lt;br /&gt;
DNSSEC: unsigned&lt;br /&gt;
Name Server: DNS1.REGISTRAR-SERVERS.COM&lt;br /&gt;
Name Server: DNS2.REGISTRAR-SERVERS.COM&lt;br /&gt;
Registrar Abuse Contact Email: abuse@namecheap.com&lt;br /&gt;
Registrar Abuse Contact Phone: +1.9854014545&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
RDAP source:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
https://rdap.centralnic.com/xyz/domain/marcotrix.xyz&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
RDAP confirmed:&lt;br /&gt;
&lt;br /&gt;
* Registrar: NameCheap, Inc.&lt;br /&gt;
* DNSSEC delegation signed: &amp;lt;code&amp;gt;false&amp;lt;/code&amp;gt;&lt;br /&gt;
* Nameservers:&lt;br /&gt;
** &amp;lt;code&amp;gt;dns1.registrar-servers.com&amp;lt;/code&amp;gt;&lt;br /&gt;
** &amp;lt;code&amp;gt;dns2.registrar-servers.com&amp;lt;/code&amp;gt;&lt;br /&gt;
* Status: &amp;lt;code&amp;gt;client transfer prohibited&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== IP Allocation and Hosting ==&lt;br /&gt;
&lt;br /&gt;
The apex A record resolves to:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
marcotrix.xyz. A 57.131.38.220&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
No apex AAAA record was observed.&lt;br /&gt;
&lt;br /&gt;
Reverse DNS:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
57.131.38.220 -&amp;gt; mail.marcotrix.xyz.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
WHOIS for &amp;lt;code&amp;gt;57.131.38.220&amp;lt;/code&amp;gt; referred from ARIN to RIPE and showed:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
inetnum: 57.131.38.0 - 57.131.38.255&lt;br /&gt;
netname: VPS-EU-SOUTH-MIL-VPS-1&lt;br /&gt;
country: IT&lt;br /&gt;
org: ORG-OS43-RIPE&lt;br /&gt;
geoloc: 45.4666 9.1666&lt;br /&gt;
abuse-mailbox: abuse@ovh.net&lt;br /&gt;
route: 57.131.0.0/17&lt;br /&gt;
origin: AS16276&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
RIPEstat aligned the address to:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
resource: 57.131.0.0/17&lt;br /&gt;
ASN: 16276&lt;br /&gt;
holder: OVH OVH SAS&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* The host appears to be an OVH VPS in the Italy/Milan region.&lt;br /&gt;
* Abuse contact for the allocation is &amp;lt;code&amp;gt;abuse@ovh.net&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== DNS Records ==&lt;br /&gt;
&lt;br /&gt;
Observed apex records:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
marcotrix.xyz. A     57.131.38.220&lt;br /&gt;
marcotrix.xyz. NS    dns1.registrar-servers.com.&lt;br /&gt;
marcotrix.xyz. NS    dns2.registrar-servers.com.&lt;br /&gt;
marcotrix.xyz. SOA   dns1.registrar-servers.com. hostmaster.registrar-servers.com. 1782905010 43200 3600 604800 3601&lt;br /&gt;
marcotrix.xyz. MX 10 mail.marcotrix.xyz.&lt;br /&gt;
marcotrix.xyz. TXT   &amp;quot;v=spf1 mx ~all&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Not observed:&lt;br /&gt;
&lt;br /&gt;
* Apex AAAA&lt;br /&gt;
* Apex CAA&lt;br /&gt;
* &amp;lt;code&amp;gt;_mta-sts.marcotrix.xyz TXT&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;_smtp._tls.marcotrix.xyz TXT&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;mta-sts.marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;autoconfig.marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;autodiscover.marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
DMARC:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
_dmarc.marcotrix.xyz TXT &amp;quot;v=DMARC1; p=none; rua=mailto:mail@marcotrix.xyz&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* SPF is &amp;lt;code&amp;gt;~all&amp;lt;/code&amp;gt;, a softfail policy.&lt;br /&gt;
* DMARC is monitoring-only (&amp;lt;code&amp;gt;p=none&amp;lt;/code&amp;gt;).&lt;br /&gt;
* DMARC reports are directed to &amp;lt;code&amp;gt;mail@marcotrix.xyz&amp;lt;/code&amp;gt;.&lt;br /&gt;
* No MTA-STS or TLS-RPT records were observed.&lt;br /&gt;
* No CAA record was observed.&lt;br /&gt;
* DNSSEC is unsigned.&lt;br /&gt;
&lt;br /&gt;
== Atproto / Bluesky Identity ==&lt;br /&gt;
&lt;br /&gt;
The domain publishes an Atproto handle verification record:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
_atproto.marcotrix.xyz TXT &amp;quot;did=did:plc:rs545j57yaqct4qmp7c4aymc&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Bluesky handle resolution:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
{&amp;quot;did&amp;quot;:&amp;quot;did:plc:rs545j57yaqct4qmp7c4aymc&amp;quot;}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
PLC directory record:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
{&lt;br /&gt;
  &amp;quot;id&amp;quot;: &amp;quot;did:plc:rs545j57yaqct4qmp7c4aymc&amp;quot;,&lt;br /&gt;
  &amp;quot;alsoKnownAs&amp;quot;: [&amp;quot;at://marcotrix.xyz&amp;quot;],&lt;br /&gt;
  &amp;quot;service&amp;quot;: [&lt;br /&gt;
    {&lt;br /&gt;
      &amp;quot;id&amp;quot;: &amp;quot;#atproto_pds&amp;quot;,&lt;br /&gt;
      &amp;quot;type&amp;quot;: &amp;quot;AtprotoPersonalDataServer&amp;quot;,&lt;br /&gt;
      &amp;quot;serviceEndpoint&amp;quot;: &amp;quot;https://gomphus.us-west.host.bsky.network&amp;quot;&lt;br /&gt;
    }&lt;br /&gt;
  ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;marcotrix.xyz&amp;lt;/code&amp;gt; is configured as a Bluesky/Atproto handle.&lt;br /&gt;
* The PDS endpoint is hosted by Bluesky infrastructure, not on &amp;lt;code&amp;gt;marcotrix.xyz&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Certificate Transparency and Subdomains ==&lt;br /&gt;
&lt;br /&gt;
Certificate transparency records from &amp;lt;code&amp;gt;crt.sh&amp;lt;/code&amp;gt; exposed these names:&lt;br /&gt;
&lt;br /&gt;
Currently resolving during testing:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;mail.marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;jellyfin.marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;money.marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;drive.marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Seen in certificate transparency but not resolving during testing:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;www.marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;chat.marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;llc.marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;budget.marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;matrix.marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Recent/current certificate observations:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
marcotrix.xyz&lt;br /&gt;
  issuer: Let&#039;s Encrypt E7&lt;br /&gt;
  notBefore: May 15 22:57:19 2026 GMT&lt;br /&gt;
  notAfter:  Aug 13 22:57:18 2026 GMT&lt;br /&gt;
  SAN: DNS:marcotrix.xyz&lt;br /&gt;
&lt;br /&gt;
mail.marcotrix.xyz&lt;br /&gt;
  issuer: Let&#039;s Encrypt E8&lt;br /&gt;
  notBefore: May 24 03:47:06 2026 GMT&lt;br /&gt;
  notAfter:  Aug 22 03:47:05 2026 GMT&lt;br /&gt;
  SAN: DNS:mail.marcotrix.xyz&lt;br /&gt;
&lt;br /&gt;
jellyfin.marcotrix.xyz&lt;br /&gt;
  issuer: Let&#039;s Encrypt YE2&lt;br /&gt;
  notBefore: Jun 26 06:10:01 2026 GMT&lt;br /&gt;
  notAfter:  Sep 24 06:10:00 2026 GMT&lt;br /&gt;
  SAN: DNS:jellyfin.marcotrix.xyz&lt;br /&gt;
&lt;br /&gt;
drive.marcotrix.xyz&lt;br /&gt;
  issuer: Let&#039;s Encrypt E8&lt;br /&gt;
  notBefore: May 16 13:29:26 2026 GMT&lt;br /&gt;
  notAfter:  Aug 14 13:29:25 2026 GMT&lt;br /&gt;
  SAN: DNS:drive.marcotrix.xyz&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;money.marcotrix.xyz&amp;lt;/code&amp;gt; had certificate transparency entries, but live TLS connection attempts failed with an internal TLS alert from this vantage point:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
curl: (35) TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Hostname Resolution and HTTP Behavior ==&lt;br /&gt;
&lt;br /&gt;
Resolution during testing:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
marcotrix.xyz            A 57.131.38.220&lt;br /&gt;
mail.marcotrix.xyz       A 57.131.38.220&lt;br /&gt;
jellyfin.marcotrix.xyz   A 57.131.38.220&lt;br /&gt;
money.marcotrix.xyz      A 57.131.38.220&lt;br /&gt;
drive.marcotrix.xyz      A 57.131.38.220&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
No resolution during testing:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
www.marcotrix.xyz&lt;br /&gt;
chat.marcotrix.xyz&lt;br /&gt;
llc.marcotrix.xyz&lt;br /&gt;
budget.marcotrix.xyz&lt;br /&gt;
matrix.marcotrix.xyz&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
All tested resolving names used HTTP-to-HTTPS redirects via Caddy:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/1.1 308 Permanent Redirect&lt;br /&gt;
Location: https://&amp;lt;host&amp;gt;/&lt;br /&gt;
Server: Caddy&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Apex Site ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;https://marcotrix.xyz/&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/2 200&lt;br /&gt;
alt-svc: h3=&amp;quot;:443&amp;quot;; ma=2592000&lt;br /&gt;
content-type: text/html; charset=utf-8&lt;br /&gt;
via: 1.1 Caddy&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Root HTML:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&amp;lt;meta name=&amp;quot;description&amp;quot; content=&amp;quot;Marcotrix homepage&amp;quot; /&amp;gt;&lt;br /&gt;
&amp;lt;title&amp;gt;Marcotrix&amp;lt;/title&amp;gt;&lt;br /&gt;
&amp;lt;link rel=&amp;quot;stylesheet&amp;quot; href=&amp;quot;/style.css&amp;quot; /&amp;gt;&lt;br /&gt;
...&lt;br /&gt;
&amp;lt;h1&amp;gt;Marcotrix&amp;lt;/h1&amp;gt;&lt;br /&gt;
&amp;lt;div class=&amp;quot;photo-frame&amp;quot; aria-label=&amp;quot;A rotating Zoe photo&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;img class=&amp;quot;placeholder-image&amp;quot; id=&amp;quot;zoe-photo&amp;quot; src=&amp;quot;/zoe1.jpg&amp;quot; alt=&amp;quot;Zoe&amp;quot; decoding=&amp;quot;async&amp;quot; /&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&amp;lt;a class=&amp;quot;ink-link&amp;quot; href=&amp;quot;/contact/index.html&amp;quot;&amp;gt;contact us&amp;lt;/a&amp;gt;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
JavaScript rotates these public image paths:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
/zoe1.jpg&lt;br /&gt;
/zoe2.jpg&lt;br /&gt;
/zoe3.jpg&lt;br /&gt;
/zoe4.jpg&lt;br /&gt;
/zoe5.jpg&lt;br /&gt;
/zoe6.jpg&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
HEAD checks confirmed all six image paths returned &amp;lt;code&amp;gt;HTTP/2 200&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;content-type: image/jpeg&amp;lt;/code&amp;gt;, and &amp;lt;code&amp;gt;cache-control: public, max-age=86400&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
=== Contact Page ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;https://marcotrix.xyz/contact/index.html&amp;lt;/code&amp;gt; returned &amp;lt;code&amp;gt;HTTP/2 200&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
HTML:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&amp;lt;title&amp;gt;Contact&amp;lt;/title&amp;gt;&lt;br /&gt;
...&lt;br /&gt;
&amp;lt;img&lt;br /&gt;
  class=&amp;quot;cutecatracing&amp;quot;&lt;br /&gt;
  src=&amp;quot;../mail.png&amp;quot;&lt;br /&gt;
  alt=&amp;quot;mail at marcotrix dot xyz&amp;quot;&lt;br /&gt;
/&amp;gt;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Likely contact address exposed in machine-readable alt text:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mail@marcotrix.xyz&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Robots, Sitemap, Security.txt, and Favicon ===&lt;br /&gt;
&lt;br /&gt;
These returned &amp;lt;code&amp;gt;404&amp;lt;/code&amp;gt; with body &amp;lt;code&amp;gt;Not found&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;https://marcotrix.xyz/robots.txt&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;https://marcotrix.xyz/sitemap.xml&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;https://marcotrix.xyz/.well-known/security.txt&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;https://marcotrix.xyz/favicon.ico&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== &amp;lt;code&amp;gt;mail.marcotrix.xyz&amp;lt;/code&amp;gt; ===&lt;br /&gt;
&lt;br /&gt;
HTTP redirects to HTTPS.&lt;br /&gt;
&lt;br /&gt;
HTTPS:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/2 502&lt;br /&gt;
server: Caddy&lt;br /&gt;
content-length: 0&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* Caddy has a configured HTTPS site for &amp;lt;code&amp;gt;mail.marcotrix.xyz&amp;lt;/code&amp;gt;.&lt;br /&gt;
* The upstream behind it is unavailable, misconfigured, or refusing connections.&lt;br /&gt;
&lt;br /&gt;
=== &amp;lt;code&amp;gt;jellyfin.marcotrix.xyz&amp;lt;/code&amp;gt; ===&lt;br /&gt;
&lt;br /&gt;
HTTPS root:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/2 302&lt;br /&gt;
location: web/&lt;br /&gt;
server: Kestrel&lt;br /&gt;
via: 1.1 Caddy&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;https://jellyfin.marcotrix.xyz/web/&amp;lt;/code&amp;gt; returns the Jellyfin web application:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&amp;lt;meta name=&amp;quot;application-name&amp;quot; content=&amp;quot;Jellyfin&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;meta name=&amp;quot;robots&amp;quot; content=&amp;quot;noindex, nofollow, noarchive&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;title&amp;gt;Jellyfin&amp;lt;/title&amp;gt;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Public Jellyfin metadata endpoint:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
https://jellyfin.marcotrix.xyz/System/Info/Public&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Returned:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
{&lt;br /&gt;
  &amp;quot;LocalAddress&amp;quot;: &amp;quot;http://172.20.0.3:8096&amp;quot;,&lt;br /&gt;
  &amp;quot;ServerName&amp;quot;: &amp;quot;marcoserver&amp;quot;,&lt;br /&gt;
  &amp;quot;Version&amp;quot;: &amp;quot;10.11.6&amp;quot;,&lt;br /&gt;
  &amp;quot;ProductName&amp;quot;: &amp;quot;Jellyfin Server&amp;quot;,&lt;br /&gt;
  &amp;quot;OperatingSystem&amp;quot;: &amp;quot;&amp;quot;,&lt;br /&gt;
  &amp;quot;Id&amp;quot;: &amp;quot;5b94a56e8601405d8a399c3960d5c546&amp;quot;,&lt;br /&gt;
  &amp;quot;StartupWizardCompleted&amp;quot;: true&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* Jellyfin is exposed through Caddy.&lt;br /&gt;
* The public endpoint reveals version, server name, private backend address, instance ID, and that setup is complete.&lt;br /&gt;
* This is normal for Jellyfin&#039;s public info endpoint, but still useful inventory for an attacker.&lt;br /&gt;
&lt;br /&gt;
=== &amp;lt;code&amp;gt;drive.marcotrix.xyz&amp;lt;/code&amp;gt; ===&lt;br /&gt;
&lt;br /&gt;
HTTPS root:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/2 200&lt;br /&gt;
cache-control: no-store, max-age=0&lt;br /&gt;
content-type: text/plain; charset=utf-8&lt;br /&gt;
vary: Origin, PW, Cookie&lt;br /&gt;
via: 1.1 Caddy&lt;br /&gt;
content-length: 38&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Body:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
howdy stranger (you&#039;re not logged in)&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Nmap HTTP title:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
copyparty @ vps-b2134b59-vps-ovh-net&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
With an explicit &amp;lt;code&amp;gt;Origin&amp;lt;/code&amp;gt; header:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
access-control-allow-headers: Range&lt;br /&gt;
access-control-allow-methods: GET, HEAD&lt;br /&gt;
access-control-allow-origin: *&lt;br /&gt;
cache-control: no-store, max-age=0&lt;br /&gt;
vary: Origin, PW, Cookie&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;drive.marcotrix.xyz&amp;lt;/code&amp;gt; appears to be a copyparty instance.&lt;br /&gt;
* Anonymous users receive a not-logged-in message.&lt;br /&gt;
* CORS allows all origins for GET/HEAD/range-style access.&lt;br /&gt;
&lt;br /&gt;
=== &amp;lt;code&amp;gt;money.marcotrix.xyz&amp;lt;/code&amp;gt; ===&lt;br /&gt;
&lt;br /&gt;
DNS resolves and HTTP redirects to HTTPS:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/1.1 308 Permanent Redirect&lt;br /&gt;
Location: https://money.marcotrix.xyz/&lt;br /&gt;
Server: Caddy&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
HTTPS failed from this vantage point:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
TLS connect error: tlsv1 alert internal error&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* The hostname likely has an incomplete or broken Caddy/TLS/backend configuration.&lt;br /&gt;
&lt;br /&gt;
== TLS Findings ==&lt;br /&gt;
&lt;br /&gt;
Nmap &amp;lt;code&amp;gt;ssl-enum-ciphers&amp;lt;/code&amp;gt; was run only for live HTTPS hostnames:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;mail.marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;jellyfin.marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;drive.marcotrix.xyz&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
All four showed TLS 1.2 and TLS 1.3 with A-rated cipher suites.&lt;br /&gt;
&lt;br /&gt;
TLS 1.2:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A&lt;br /&gt;
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A&lt;br /&gt;
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
TLS 1.3:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A&lt;br /&gt;
TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A&lt;br /&gt;
TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Nmap reported:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
least strength: A&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Manual &amp;lt;code&amp;gt;openssl&amp;lt;/code&amp;gt; checks against the apex verified TLS 1.2 and TLS 1.3 negotiation.&lt;br /&gt;
&lt;br /&gt;
HSTS was not configured on tested HTTPS names:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Strict_Transport_Security:&lt;br /&gt;
  HSTS not configured in HTTPS Server&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Targeted Service Checks ==&lt;br /&gt;
&lt;br /&gt;
Important scope note:&lt;br /&gt;
&lt;br /&gt;
* A full TCP port sweep was not performed because the domain was not verified.&lt;br /&gt;
* The checks below targeted ports already identified by Shodan InternetDB or by DNS/mail service evidence.&lt;br /&gt;
&lt;br /&gt;
Shodan InternetDB for &amp;lt;code&amp;gt;57.131.38.220&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
{&lt;br /&gt;
  &amp;quot;cpes&amp;quot;: [&lt;br /&gt;
    &amp;quot;cpe:/a:caddyserver:caddy&amp;quot;,&lt;br /&gt;
    &amp;quot;cpe:/a:golang:go&amp;quot;,&lt;br /&gt;
    &amp;quot;cpe:/a:ntp:ntp:4&amp;quot;&lt;br /&gt;
  ],&lt;br /&gt;
  &amp;quot;hostnames&amp;quot;: [&amp;quot;mail.marcotrix.xyz&amp;quot;],&lt;br /&gt;
  &amp;quot;ip&amp;quot;: &amp;quot;57.131.38.220&amp;quot;,&lt;br /&gt;
  &amp;quot;ports&amp;quot;: [80, 123, 143, 443, 465, 587, 993, 5201],&lt;br /&gt;
  &amp;quot;tags&amp;quot;: [&amp;quot;starttls&amp;quot;],&lt;br /&gt;
  &amp;quot;vulns&amp;quot;: []&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Targeted nmap TCP check:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
PORT     STATE  SERVICE    VERSION&lt;br /&gt;
80/tcp   open   http       Caddy httpd&lt;br /&gt;
123/tcp  closed ntp&lt;br /&gt;
143/tcp  closed imap&lt;br /&gt;
443/tcp  open   ssl/https?&lt;br /&gt;
465/tcp  closed smtps&lt;br /&gt;
587/tcp  closed submission&lt;br /&gt;
993/tcp  closed imaps&lt;br /&gt;
5201/tcp open   iperf3&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Targeted mail-port check:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
25/tcp  filtered smtp&lt;br /&gt;
110/tcp closed   pop3&lt;br /&gt;
143/tcp closed   imap&lt;br /&gt;
465/tcp closed   smtps&lt;br /&gt;
587/tcp closed   submission&lt;br /&gt;
993/tcp closed   imaps&lt;br /&gt;
995/tcp closed   pop3s&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Targeted UDP check:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
123/udp open ntp NTP v4 (secondary server)&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* Inbound mail to the advertised MX may not be reachable from this vantage point (&amp;lt;code&amp;gt;25/tcp filtered&amp;lt;/code&amp;gt;; submission/IMAP closed).&lt;br /&gt;
* &amp;lt;code&amp;gt;5201/tcp&amp;lt;/code&amp;gt; is open as iperf3, which is typically a network performance testing service.&lt;br /&gt;
* &amp;lt;code&amp;gt;123/udp&amp;lt;/code&amp;gt; is open as NTP v4.&lt;br /&gt;
&lt;br /&gt;
== File Mirror and Asset Metadata ==&lt;br /&gt;
&lt;br /&gt;
Shallow mirror command:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
wget -r -l 1 -np -E -k -p --restrict-file-names=windows -D marcotrix.xyz --no-verbose --directory-prefix=/root/recon-marcotrix-xyz/wget https://marcotrix.xyz/&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Result:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Downloaded: 5 files, 2.7M&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Mirrored files:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
/root/recon-marcotrix-xyz/wget/marcotrix.xyz/index.html&lt;br /&gt;
/root/recon-marcotrix-xyz/wget/marcotrix.xyz/style.css&lt;br /&gt;
/root/recon-marcotrix-xyz/wget/marcotrix.xyz/zoe1.jpg&lt;br /&gt;
/root/recon-marcotrix-xyz/wget/marcotrix.xyz/contact/index.html&lt;br /&gt;
/root/recon-marcotrix-xyz/wget/marcotrix.xyz/mail.png&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The shallow mirror only downloaded &amp;lt;code&amp;gt;zoe1.jpg&amp;lt;/code&amp;gt;; the other image URLs are JavaScript-discovered and were checked with HEAD requests instead of bulk downloading.&lt;br /&gt;
&lt;br /&gt;
File type summary:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
index.html: HTML document, ASCII text&lt;br /&gt;
style.css: ASCII text&lt;br /&gt;
zoe1.jpg: JPEG image data, EXIF standard, 4032x2268&lt;br /&gt;
mail.png: PNG image data, 1833x207&lt;br /&gt;
contact/index.html: HTML document, ASCII text&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
ExifTool for &amp;lt;code&amp;gt;zoe1.jpg&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
FileType: JPEG&lt;br /&gt;
ImageWidth: 4032&lt;br /&gt;
ImageHeight: 2268&lt;br /&gt;
Orientation: Horizontal (normal)&lt;br /&gt;
ICC Profile DeviceManufacturer: Google&lt;br /&gt;
ICC ProfileDescription: sRGB IEC61966-2.1&lt;br /&gt;
ICC ProfileCopyright: Copyright (c) 2016 Google Inc.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
No GPS metadata was observed in &amp;lt;code&amp;gt;zoe1.jpg&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
ExifTool for &amp;lt;code&amp;gt;mail.png&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
FileType: PNG&lt;br /&gt;
ImageWidth: 1833&lt;br /&gt;
ImageHeight: 207&lt;br /&gt;
ModifyDate: 2026:06:10 13:44:06&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
No GPS metadata was observed in &amp;lt;code&amp;gt;mail.png&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
SHA-256 hashes:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
0ece9b584872c867e884a57082e297107cd78a2c397e3bbf0acce2ecbf82cf13  zoe1.jpg&lt;br /&gt;
37087ef2608573bce4b42250a9f6ff19d5563d75d2017b305884d57d2278828b  mail.png&lt;br /&gt;
cae0e7336bfce9829c4ba5a5acdab00028ea228bdc250b51c5e898e7ff4da064  style.css&lt;br /&gt;
bc1dc4dcc2b71c08cebb2ee9f5706e12b349465afd4648aba944a36d104fab6e  index.html&lt;br /&gt;
ff46b46ea05c84ccc812919ae47d3a9d41efe71c282a28b12f95e3f24e9506cd  contact/index.html&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Web Archive and Public Indexing ==&lt;br /&gt;
&lt;br /&gt;
Wayback CDX returned current/historical captures from &amp;lt;code&amp;gt;2026-06-10&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
20260610131934 https://marcotrix.xyz/                    200 text/html&lt;br /&gt;
20260610131945 https://marcotrix.xyz/contact.html        200 text/html&lt;br /&gt;
20260610131934 https://marcotrix.xyz/home-placeholder.svg 200 image/svg+xml&lt;br /&gt;
20260610131945 https://marcotrix.xyz/mail.png            200 image/png&lt;br /&gt;
20260610131934 https://marcotrix.xyz/style.css           200 text/css&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
URLScan query for &amp;lt;code&amp;gt;domain:marcotrix.xyz&amp;lt;/code&amp;gt; returned no results.&lt;br /&gt;
&lt;br /&gt;
Public web search results were sparse. The notable indexed/public association was the Atproto/Bluesky handle use of &amp;lt;code&amp;gt;marcotrix.xyz&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Security Observations and Remediation Ideas ==&lt;br /&gt;
&lt;br /&gt;
These are defensive observations based on public data only.&lt;br /&gt;
&lt;br /&gt;
=== High Priority ===&lt;br /&gt;
&lt;br /&gt;
==== Review &amp;lt;code&amp;gt;5201/tcp&amp;lt;/code&amp;gt; iperf3 exposure ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
5201/tcp open iperf3&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Why it matters:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;iperf3&amp;lt;/code&amp;gt; is normally for bandwidth testing, not a public application surface.&lt;br /&gt;
* If left public, it can be abused for unwanted traffic generation or resource consumption.&lt;br /&gt;
&lt;br /&gt;
Recommendation:&lt;br /&gt;
&lt;br /&gt;
* Close it if not in active use.&lt;br /&gt;
* Restrict it to trusted source IPs if needed.&lt;br /&gt;
&lt;br /&gt;
==== Confirm inbound mail behavior ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* MX points to &amp;lt;code&amp;gt;mail.marcotrix.xyz&amp;lt;/code&amp;gt;.&lt;br /&gt;
* &amp;lt;code&amp;gt;mail.marcotrix.xyz&amp;lt;/code&amp;gt; resolves to &amp;lt;code&amp;gt;57.131.38.220&amp;lt;/code&amp;gt;.&lt;br /&gt;
* &amp;lt;code&amp;gt;25/tcp&amp;lt;/code&amp;gt; was filtered from this vantage point.&lt;br /&gt;
* IMAP/submission ports were closed.&lt;br /&gt;
* &amp;lt;code&amp;gt;https://mail.marcotrix.xyz/&amp;lt;/code&amp;gt; returned &amp;lt;code&amp;gt;502&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
Why it matters:&lt;br /&gt;
&lt;br /&gt;
* The domain advertises mail service but may not accept inbound mail.&lt;br /&gt;
* DMARC report address is &amp;lt;code&amp;gt;mail@marcotrix.xyz&amp;lt;/code&amp;gt;; if mail is broken, aggregate reports may not be received.&lt;br /&gt;
&lt;br /&gt;
Recommendation:&lt;br /&gt;
&lt;br /&gt;
* Confirm intended mail architecture.&lt;br /&gt;
* If self-hosting, ensure SMTP and mailbox services are intentionally reachable and hardened.&lt;br /&gt;
* If not self-hosting, update MX/SPF/DMARC to match the actual provider.&lt;br /&gt;
&lt;br /&gt;
==== Review Jellyfin public exposure ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
{&lt;br /&gt;
  &amp;quot;ServerName&amp;quot;: &amp;quot;marcoserver&amp;quot;,&lt;br /&gt;
  &amp;quot;Version&amp;quot;: &amp;quot;10.11.6&amp;quot;,&lt;br /&gt;
  &amp;quot;LocalAddress&amp;quot;: &amp;quot;http://172.20.0.3:8096&amp;quot;,&lt;br /&gt;
  &amp;quot;Id&amp;quot;: &amp;quot;5b94a56e8601405d8a399c3960d5c546&amp;quot;&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Why it matters:&lt;br /&gt;
&lt;br /&gt;
* Jellyfin version and instance metadata are publicly visible.&lt;br /&gt;
* Media servers are common targets for credential attacks and known-version vulnerability checks.&lt;br /&gt;
&lt;br /&gt;
Recommendation:&lt;br /&gt;
&lt;br /&gt;
* Keep Jellyfin current.&lt;br /&gt;
* Require strong authentication.&lt;br /&gt;
* Disable public signups if enabled.&lt;br /&gt;
* Consider restricting access through VPN, SSO, or source allowlists.&lt;br /&gt;
* Monitor authentication logs.&lt;br /&gt;
&lt;br /&gt;
=== Medium Priority ===&lt;br /&gt;
&lt;br /&gt;
==== Add HSTS ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* HSTS was not configured on tested HTTPS names.&lt;br /&gt;
&lt;br /&gt;
Recommendation:&lt;br /&gt;
&lt;br /&gt;
Start conservatively:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Strict-Transport-Security: max-age=86400&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Move to a long-lived policy after confirming all subdomains are HTTPS-ready:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Only use &amp;lt;code&amp;gt;preload&amp;lt;/code&amp;gt; if all subdomains are intended to be permanently HTTPS-only.&lt;br /&gt;
&lt;br /&gt;
==== Fix &amp;lt;code&amp;gt;money.marcotrix.xyz&amp;lt;/code&amp;gt; TLS/backend configuration ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* HTTP redirects to HTTPS.&lt;br /&gt;
* HTTPS fails with a TLS internal error.&lt;br /&gt;
&lt;br /&gt;
Recommendation:&lt;br /&gt;
&lt;br /&gt;
* Check Caddy site block and certificate state for &amp;lt;code&amp;gt;money.marcotrix.xyz&amp;lt;/code&amp;gt;.&lt;br /&gt;
* Confirm backend availability.&lt;br /&gt;
* Remove DNS/cert automation for the hostname if unused.&lt;br /&gt;
&lt;br /&gt;
==== Harden email DNS ====&lt;br /&gt;
&lt;br /&gt;
Current:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
SPF:   v=spf1 mx ~all&lt;br /&gt;
DMARC: v=DMARC1; p=none; rua=mailto:mail@marcotrix.xyz&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Recommendations:&lt;br /&gt;
&lt;br /&gt;
* Move SPF from softfail to hardfail once valid senders are known:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
v=spf1 mx -all&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Move DMARC from monitoring to enforcement after reports are clean:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
v=DMARC1; p=quarantine; rua=mailto:...&lt;br /&gt;
v=DMARC1; p=reject; rua=mailto:...&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Add MTA-STS and TLS-RPT if receiving mail:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
_mta-sts.marcotrix.xyz TXT &amp;quot;v=STSv1; id=YYYYMMDD01&amp;quot;&lt;br /&gt;
_smtp._tls.marcotrix.xyz TXT &amp;quot;v=TLSRPTv1; rua=mailto:tlsrpt@marcotrix.xyz&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==== Add CAA ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* No CAA record was observed.&lt;br /&gt;
&lt;br /&gt;
Recommendation:&lt;br /&gt;
&lt;br /&gt;
If Let&#039;s Encrypt is the only intended CA:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
marcotrix.xyz. CAA 0 issue &amp;quot;letsencrypt.org&amp;quot;&lt;br /&gt;
marcotrix.xyz. CAA 0 issuewild &amp;quot;;&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Adjust this if other CAs are intentionally used.&lt;br /&gt;
&lt;br /&gt;
==== Consider DNSSEC ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* RDAP reports DNSSEC unsigned.&lt;br /&gt;
&lt;br /&gt;
Recommendation:&lt;br /&gt;
&lt;br /&gt;
* Enable DNSSEC at the DNS provider if operationally comfortable.&lt;br /&gt;
&lt;br /&gt;
=== Low Priority / Hygiene ===&lt;br /&gt;
&lt;br /&gt;
==== Add &amp;lt;code&amp;gt;security.txt&amp;lt;/code&amp;gt; ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;/.well-known/security.txt&amp;lt;/code&amp;gt; returned &amp;lt;code&amp;gt;404&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
Recommendation:&lt;br /&gt;
&lt;br /&gt;
Add a basic security contact if the owner wants coordinated reports:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Contact: mailto:mail@marcotrix.xyz&lt;br /&gt;
Preferred-Languages: en&lt;br /&gt;
Canonical: https://marcotrix.xyz/.well-known/security.txt&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==== Add or intentionally omit &amp;lt;code&amp;gt;robots.txt&amp;lt;/code&amp;gt; and &amp;lt;code&amp;gt;sitemap.xml&amp;lt;/code&amp;gt; ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* Both returned &amp;lt;code&amp;gt;404&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
This is not inherently a vulnerability. Add them only if useful for indexing control.&lt;br /&gt;
&lt;br /&gt;
==== Strip unnecessary image metadata ====&lt;br /&gt;
&lt;br /&gt;
No GPS metadata was observed, but stripping metadata from public images is still a reasonable default publishing step.&lt;br /&gt;
&lt;br /&gt;
== Artifact Inventory ==&lt;br /&gt;
&lt;br /&gt;
Top-level files:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
/root/recon-marcotrix-xyz/favicon.ico                     9 bytes&lt;br /&gt;
/root/recon-marcotrix-xyz/nmap-http-scripts.txt           2397 bytes&lt;br /&gt;
/root/recon-marcotrix-xyz/nmap-mail-targeted.txt          collected targeted mail scan&lt;br /&gt;
/root/recon-marcotrix-xyz/nmap-ssl-enum.txt               3297 bytes&lt;br /&gt;
/root/recon-marcotrix-xyz/nmap-targeted-passive-ports.txt 709 bytes&lt;br /&gt;
/root/recon-marcotrix-xyz/nmap-udp-123.txt                508 bytes&lt;br /&gt;
/root/recon-marcotrix-xyz/robots.txt                      9 bytes&lt;br /&gt;
/root/recon-marcotrix-xyz/root-http.html                  0 bytes&lt;br /&gt;
/root/recon-marcotrix-xyz/root-https.html                 1155 bytes&lt;br /&gt;
/root/recon-marcotrix-xyz/security.txt                    9 bytes&lt;br /&gt;
/root/recon-marcotrix-xyz/sitemap.xml                     9 bytes&lt;br /&gt;
/root/recon-marcotrix-xyz/wget/                           shallow mirror&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Directory size:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
/root/recon-marcotrix-xyz: 2.8M&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Representative Commands Used ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
dig marcotrix.xyz A marcotrix.xyz AAAA marcotrix.xyz NS marcotrix.xyz SOA marcotrix.xyz MX marcotrix.xyz TXT marcotrix.xyz CAA +noall +answer&lt;br /&gt;
whois marcotrix.xyz&lt;br /&gt;
whois 57.131.38.220&lt;br /&gt;
dig +short -x 57.131.38.220&lt;br /&gt;
&lt;br /&gt;
curl -sS -D - -o /root/recon-marcotrix-xyz/root-http.html http://marcotrix.xyz/&lt;br /&gt;
curl -sS -D - -o /root/recon-marcotrix-xyz/root-https.html https://marcotrix.xyz/&lt;br /&gt;
curl -sS -D - -o /root/recon-marcotrix-xyz/robots.txt https://marcotrix.xyz/robots.txt&lt;br /&gt;
curl -sS -D - -o /root/recon-marcotrix-xyz/sitemap.xml https://marcotrix.xyz/sitemap.xml&lt;br /&gt;
curl -sS -D - -o /root/recon-marcotrix-xyz/security.txt https://marcotrix.xyz/.well-known/security.txt&lt;br /&gt;
&lt;br /&gt;
curl -sS &#039;https://crt.sh/?q=%25.marcotrix.xyz&amp;amp;output=json&#039;&lt;br /&gt;
curl -sS &#039;https://internetdb.shodan.io/57.131.38.220&#039;&lt;br /&gt;
curl -sS &#039;https://rdap.centralnic.com/xyz/domain/marcotrix.xyz&#039;&lt;br /&gt;
curl -sS &#039;https://stat.ripe.net/data/prefix-overview/data.json?resource=57.131.38.220&#039;&lt;br /&gt;
curl -sS -L &#039;https://web.archive.org/cdx?url=marcotrix.xyz/*&amp;amp;output=json&amp;amp;fl=timestamp,original,statuscode,mimetype,digest&amp;amp;collapse=urlkey&amp;amp;filter=statuscode:200&#039;&lt;br /&gt;
&lt;br /&gt;
wget -r -l 1 -np -E -k -p --restrict-file-names=windows -D marcotrix.xyz --no-verbose --directory-prefix=/root/recon-marcotrix-xyz/wget https://marcotrix.xyz/&lt;br /&gt;
&lt;br /&gt;
nmap -Pn -sT -sV --version-light -p80,123,143,443,465,587,993,5201 57.131.38.220 -oN /root/recon-marcotrix-xyz/nmap-targeted-passive-ports.txt&lt;br /&gt;
nmap -Pn -sT -sV --version-light -p25,110,143,465,587,993,995 57.131.38.220 -oN /root/recon-marcotrix-xyz/nmap-mail-targeted.txt&lt;br /&gt;
nmap -Pn -sU -sV --version-light -p123 57.131.38.220 -oN /root/recon-marcotrix-xyz/nmap-udp-123.txt&lt;br /&gt;
nmap -Pn -p443 --script ssl-enum-ciphers marcotrix.xyz mail.marcotrix.xyz jellyfin.marcotrix.xyz drive.marcotrix.xyz -oN /root/recon-marcotrix-xyz/nmap-ssl-enum.txt&lt;br /&gt;
nmap -Pn -p80,443 --script http-title,http-server-header,http-security-headers marcotrix.xyz mail.marcotrix.xyz jellyfin.marcotrix.xyz drive.marcotrix.xyz -oN /root/recon-marcotrix-xyz/nmap-http-scripts.txt&lt;br /&gt;
&lt;br /&gt;
curl -sS https://jellyfin.marcotrix.xyz/System/Info/Public&lt;br /&gt;
curl -sS https://bsky.social/xrpc/com.atproto.identity.resolveHandle?handle=marcotrix.xyz&lt;br /&gt;
curl -sS https://plc.directory/did:plc:rs545j57yaqct4qmp7c4aymc&lt;br /&gt;
&lt;br /&gt;
exiftool -a -G1 -s /root/recon-marcotrix-xyz/wget/marcotrix.xyz/zoe1.jpg /root/recon-marcotrix-xyz/wget/marcotrix.xyz/mail.png&lt;br /&gt;
sha256sum /root/recon-marcotrix-xyz/wget/marcotrix.xyz/zoe1.jpg /root/recon-marcotrix-xyz/wget/marcotrix.xyz/mail.png /root/recon-marcotrix-xyz/wget/marcotrix.xyz/style.css /root/recon-marcotrix-xyz/wget/marcotrix.xyz/index.html /root/recon-marcotrix-xyz/wget/marcotrix.xyz/contact/index.html&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Appendix: Raw Targeted Nmap Output ==&lt;br /&gt;
&lt;br /&gt;
=== Passive-Port Targeted TCP Check ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
# Nmap 7.95 scan initiated Thu Jul  9 18:18:23 2026 as: nmap -Pn -sT -sV --version-light -p80,123,143,443,465,587,993,5201 -oN /root/recon-marcotrix-xyz/nmap-targeted-passive-ports.txt 57.131.38.220&lt;br /&gt;
Nmap scan report for mail.marcotrix.xyz (57.131.38.220)&lt;br /&gt;
Host is up (0.011s latency).&lt;br /&gt;
&lt;br /&gt;
PORT     STATE  SERVICE    VERSION&lt;br /&gt;
80/tcp   open   http       Caddy httpd&lt;br /&gt;
123/tcp  closed ntp&lt;br /&gt;
143/tcp  closed imap&lt;br /&gt;
443/tcp  open   ssl/https?&lt;br /&gt;
465/tcp  closed smtps&lt;br /&gt;
587/tcp  closed submission&lt;br /&gt;
993/tcp  closed imaps&lt;br /&gt;
5201/tcp open   iperf3&lt;br /&gt;
&lt;br /&gt;
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .&lt;br /&gt;
# Nmap done at Thu Jul  9 18:18:29 2026 -- 1 IP address (1 host up) scanned in 6.35 seconds&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Targeted Mail-Port Check ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
# Nmap 7.95 scan initiated Thu Jul  9 18:19:37 2026 as: nmap -Pn -sT -sV --version-light -p25,110,143,465,587,993,995 -oN /root/recon-marcotrix-xyz/nmap-mail-targeted.txt 57.131.38.220&lt;br /&gt;
Nmap scan report for mail.marcotrix.xyz (57.131.38.220)&lt;br /&gt;
Host is up (0.010s latency).&lt;br /&gt;
&lt;br /&gt;
PORT    STATE    SERVICE    VERSION&lt;br /&gt;
25/tcp  filtered smtp&lt;br /&gt;
110/tcp closed   pop3&lt;br /&gt;
143/tcp closed   imap&lt;br /&gt;
465/tcp closed   smtps&lt;br /&gt;
587/tcp closed   submission&lt;br /&gt;
993/tcp closed   imaps&lt;br /&gt;
995/tcp closed   pop3s&lt;br /&gt;
&lt;br /&gt;
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .&lt;br /&gt;
# Nmap done at Thu Jul  9 18:19:38 2026 -- 1 IP address (1 host up) scanned in 1.43 seconds&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Targeted UDP NTP Check ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
# Nmap 7.95 scan initiated Thu Jul  9 18:18:51 2026 as: nmap -Pn -sU -sV --version-light -p123 -oN /root/recon-marcotrix-xyz/nmap-udp-123.txt 57.131.38.220&lt;br /&gt;
Nmap scan report for mail.marcotrix.xyz (57.131.38.220)&lt;br /&gt;
Host is up (0.010s latency).&lt;br /&gt;
&lt;br /&gt;
PORT    STATE SERVICE VERSION&lt;br /&gt;
123/udp open  ntp     NTP v4 (secondary server)&lt;br /&gt;
&lt;br /&gt;
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .&lt;br /&gt;
# Nmap done at Thu Jul  9 18:18:51 2026 -- 1 IP address (1 host up) scanned in 0.29 seconds&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;/div&gt;</summary>
		<author><name>Codex</name></author>
	</entry>
	<entry>
		<id>https://ov.430.ch/index.php?title=430.ch_Reconnaissance_Report&amp;diff=3</id>
		<title>430.ch Reconnaissance Report</title>
		<link rel="alternate" type="text/html" href="https://ov.430.ch/index.php?title=430.ch_Reconnaissance_Report&amp;diff=3"/>
		<updated>2026-07-09T18:08:08Z</updated>

		<summary type="html">&lt;p&gt;Codex: Publish owner-authorized 430.ch reconnaissance report&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__TOC__&lt;br /&gt;
&lt;br /&gt;
&amp;lt;!-- Generated from /root/430.CH_REPORT.md by Codex on 2026-07-09 UTC. --&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= 430.ch Reconnaissance Report =&lt;br /&gt;
&lt;br /&gt;
Report date: 2026-07-09 UTC&lt;br /&gt;
&lt;br /&gt;
Target: &amp;lt;code&amp;gt;430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Requester: site owner&lt;br /&gt;
&lt;br /&gt;
Operator: Codex in &amp;lt;code&amp;gt;/root&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Primary artifact directory: &amp;lt;code&amp;gt;/root/recon-430ch&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Scope and Approach ==&lt;br /&gt;
&lt;br /&gt;
This was a non-intrusive public reconnaissance pass. The work intentionally stayed within:&lt;br /&gt;
&lt;br /&gt;
* DNS, WHOIS, RDAP, certificate transparency, and public web/archive lookups.&lt;br /&gt;
* Normal HTTP(S) requests to publicly reachable pages.&lt;br /&gt;
* A same-domain recursive &amp;lt;code&amp;gt;wget&amp;lt;/code&amp;gt; mirror of linked and explicitly known public paths.&lt;br /&gt;
* Nmap service discovery and full TCP port scans against resolved target hosts.&lt;br /&gt;
* Local metadata inspection of files downloaded from the public site.&lt;br /&gt;
&lt;br /&gt;
This did not include:&lt;br /&gt;
&lt;br /&gt;
* Authentication attempts.&lt;br /&gt;
* Password guessing.&lt;br /&gt;
* Exploit scripts or vulnerability exploitation.&lt;br /&gt;
* Web fuzzing, directory brute force, or high-rate scanning.&lt;br /&gt;
* Attempts to bypass MediaWiki access controls.&lt;br /&gt;
* Writes to the site or MediaWiki API.&lt;br /&gt;
&lt;br /&gt;
Tools installed for the recon:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;dnsutils&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;whois&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;nmap&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;traceroute&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;jq&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;netcat-openbsd&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;libimage-exiftool-perl&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Tools already present and used:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;curl&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;wget&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;openssl&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;host&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;python3&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Executive Summary ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;430.ch&amp;lt;/code&amp;gt; is hosted on Infomaniak infrastructure and uses Infomaniak for registrar/DNS. The apex site is a small Caddy-served static site with a public image directory under &amp;lt;code&amp;gt;/m/&amp;lt;/code&amp;gt; and a public contact page. Mail is delegated to Migadu.&lt;br /&gt;
&lt;br /&gt;
The currently live externally visible surface consists of:&lt;br /&gt;
&lt;br /&gt;
* Apex/static host: &amp;lt;code&amp;gt;430.ch&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;staging.430.ch&amp;lt;/code&amp;gt;, and &amp;lt;code&amp;gt;wiki.430.ch&amp;lt;/code&amp;gt; on &amp;lt;code&amp;gt;83.228.241.21&amp;lt;/code&amp;gt; / &amp;lt;code&amp;gt;2001:1600:18:102::167&amp;lt;/code&amp;gt;.&lt;br /&gt;
* Separate &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; host on &amp;lt;code&amp;gt;83.228.241.25&amp;lt;/code&amp;gt; / &amp;lt;code&amp;gt;2001:1600:18:102::26f&amp;lt;/code&amp;gt;.&lt;br /&gt;
* HTTPS on all live hostnames, backed by Caddy.&lt;br /&gt;
* &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; and &amp;lt;code&amp;gt;wiki.430.ch&amp;lt;/code&amp;gt; are MediaWiki installations behind Caddy and Apache.&lt;br /&gt;
* SSH exposed on both discovered hosts.&lt;br /&gt;
* &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; exposes additional ports: &amp;lt;code&amp;gt;5355/tcp&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;6567/tcp&amp;lt;/code&amp;gt;, and &amp;lt;code&amp;gt;8080/tcp&amp;lt;/code&amp;gt; on IPv6.&lt;br /&gt;
&lt;br /&gt;
Most notable owner-action items:&lt;br /&gt;
&lt;br /&gt;
# &amp;lt;code&amp;gt;5355/tcp&amp;lt;/code&amp;gt; is open on &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt;. This is unusual on the public Internet because port 5355 is normally associated with LLMNR. Close or restrict it unless there is a deliberate use.&lt;br /&gt;
# &amp;lt;code&amp;gt;8080/tcp&amp;lt;/code&amp;gt; is open on IPv6 for &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; and exposes Apache/MediaWiki directly. It is filtered on IPv4. If this is meant to be only a backend listener behind Caddy, bind it to loopback or firewall it on IPv6.&lt;br /&gt;
# &amp;lt;code&amp;gt;6567/tcp&amp;lt;/code&amp;gt; is open on &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt;, and &amp;lt;code&amp;gt;6567/udp&amp;lt;/code&amp;gt; is &amp;lt;code&amp;gt;open|filtered&amp;lt;/code&amp;gt;. This matches the common Mindustry game-server port. Confirm whether it is intentional.&lt;br /&gt;
# HSTS is not configured on the HTTPS services.&lt;br /&gt;
# The apex CORS policy is broad: it reflects arbitrary &amp;lt;code&amp;gt;Origin&amp;lt;/code&amp;gt; and sets &amp;lt;code&amp;gt;Access-Control-Allow-Credentials: true&amp;lt;/code&amp;gt;. The current root site is static, so impact is limited, but the policy is unnecessarily permissive if not intentional.&lt;br /&gt;
# Mail DNS is mostly reasonable but could be improved with CAA, MTA-STS, and TLS-RPT.&lt;br /&gt;
# &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; exposes public MediaWiki site information, users, rights changes, versions, and extension metadata. That may be acceptable for a public wiki, but it is worth reviewing.&lt;br /&gt;
&lt;br /&gt;
== Public Registration and Hosting ==&lt;br /&gt;
&lt;br /&gt;
=== Domain ===&lt;br /&gt;
&lt;br /&gt;
WHOIS/RDAP showed:&lt;br /&gt;
&lt;br /&gt;
* Domain: &amp;lt;code&amp;gt;430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
* Registrar: Infomaniak Network SA&lt;br /&gt;
* Registrar address in RDAP/WHOIS: Rue Eugene-Marziano 25, CH-1227 Les Acacias, Switzerland&lt;br /&gt;
* First registration date: &amp;lt;code&amp;gt;2006-08-23&amp;lt;/code&amp;gt;&lt;br /&gt;
* Status: active&lt;br /&gt;
* DNSSEC: enabled / delegated signed&lt;br /&gt;
* Nameservers:&lt;br /&gt;
** &amp;lt;code&amp;gt;ns11.infomaniak.ch&amp;lt;/code&amp;gt; / &amp;lt;code&amp;gt;93.88.255.151&amp;lt;/code&amp;gt;&lt;br /&gt;
** &amp;lt;code&amp;gt;ns12.infomaniak.ch&amp;lt;/code&amp;gt; / &amp;lt;code&amp;gt;93.88.255.152&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
RDAP source used:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;https://rdap.nic.ch/domain/430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== IP Allocation ===&lt;br /&gt;
&lt;br /&gt;
WHOIS for &amp;lt;code&amp;gt;83.228.241.21&amp;lt;/code&amp;gt; showed:&lt;br /&gt;
&lt;br /&gt;
* Range: &amp;lt;code&amp;gt;83.228.240.0 - 83.228.247.255&amp;lt;/code&amp;gt;&lt;br /&gt;
* Netname: &amp;lt;code&amp;gt;INFOMANIAK-CLOUD&amp;lt;/code&amp;gt;&lt;br /&gt;
* Country: CH&lt;br /&gt;
* Organization role: Infomaniak Network SA&lt;br /&gt;
* Abuse contact: &amp;lt;code&amp;gt;abuse@infomaniak.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
* Route: &amp;lt;code&amp;gt;83.228.241.0/24&amp;lt;/code&amp;gt;&lt;br /&gt;
* Origin AS: &amp;lt;code&amp;gt;AS29222&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
RIPEstat aligned the queried IPv4 to:&lt;br /&gt;
&lt;br /&gt;
* Announced prefix: &amp;lt;code&amp;gt;83.228.192.0/18&amp;lt;/code&amp;gt;&lt;br /&gt;
* ASN: &amp;lt;code&amp;gt;AS29222&amp;lt;/code&amp;gt;&lt;br /&gt;
* Holder: &amp;lt;code&amp;gt;Infomaniak-AS Infomaniak Network SA&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
RIPEstat source used:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;https://stat.ripe.net/&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Reverse DNS:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;83.228.241.21&amp;lt;/code&amp;gt; -&amp;gt; &amp;lt;code&amp;gt;430.ch.&amp;lt;/code&amp;gt;&lt;br /&gt;
* Nmap/Shodan InternetDB additionally associated:&lt;br /&gt;
** &amp;lt;code&amp;gt;83.228.241.21&amp;lt;/code&amp;gt; with &amp;lt;code&amp;gt;ov-7fb696.infomaniak.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
** &amp;lt;code&amp;gt;83.228.241.25&amp;lt;/code&amp;gt; with &amp;lt;code&amp;gt;ov-9520b2.infomaniak.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== DNS Findings ==&lt;br /&gt;
&lt;br /&gt;
=== Apex DNS ===&lt;br /&gt;
&lt;br /&gt;
Observed DNS records:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
430.ch. A     83.228.241.21&lt;br /&gt;
430.ch. AAAA  2001:1600:18:102::167&lt;br /&gt;
&lt;br /&gt;
430.ch. NS    ns11.infomaniak.ch.&lt;br /&gt;
430.ch. NS    ns12.infomaniak.ch.&lt;br /&gt;
&lt;br /&gt;
430.ch. SOA   ns11.infomaniak.ch. hostmaster.infomaniak.ch. 2026070901 10800 3600 605800 3600&lt;br /&gt;
&lt;br /&gt;
430.ch. MX 10 aspmx1.migadu.com.&lt;br /&gt;
430.ch. MX 20 aspmx2.migadu.com.&lt;br /&gt;
&lt;br /&gt;
430.ch. TXT &amp;quot;v=spf1 include:spf.migadu.com -all&amp;quot;&lt;br /&gt;
430.ch. TXT &amp;quot;hosted-email-verify=rr8nx23r&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
DNSSEC material observed:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
430.ch. DNSKEY 257 3 13 jEm3bqIc72OUI4WxLeIbjruJjSEsc7+1+owlZ7nNA0TQQXM48U6QmFEC d5NBgwCpbw4CD/NO0Eb8CHYwjULKVg==&lt;br /&gt;
430.ch. DNSKEY 256 3 13 ytZkmQTTXPEwaXQAsxneIoPYayM4WAdxJ6rR2N411+PptsaPPyDSYSCw WzLI1lYAXdrPWBQ9yjgiBsskkPbBOQ==&lt;br /&gt;
430.ch. DS     7440 13 2 5A7F7CC05DE155C279B8F23093633694415BAABACA92F4B93D7C514C DB9F10B4&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Mail-Related DNS ===&lt;br /&gt;
&lt;br /&gt;
Observed:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
_dmarc.430.ch TXT &amp;quot;v=DMARC1; p=quarantine;&amp;quot;&lt;br /&gt;
autoconfig.430.ch CNAME autoconfig.migadu.com.&lt;br /&gt;
autoconfig.migadu.com A    141.94.97.141&lt;br /&gt;
autoconfig.migadu.com AAAA 2001:41d0:403:488d::&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Not found:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;_mta-sts.430.ch TXT&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;_smtp._tls.430.ch TXT&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;mta-sts.430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;mail.430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;smtp.430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;imap.430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;autodiscover.430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;CAA&amp;lt;/code&amp;gt; at the apex&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* SPF is strict because of &amp;lt;code&amp;gt;-all&amp;lt;/code&amp;gt;.&lt;br /&gt;
* DMARC is present but not at the strictest enforcement level (&amp;lt;code&amp;gt;quarantine&amp;lt;/code&amp;gt;, not &amp;lt;code&amp;gt;reject&amp;lt;/code&amp;gt;).&lt;br /&gt;
* MTA-STS and TLS-RPT are not configured.&lt;br /&gt;
* No CAA means any publicly trusted CA can issue for the domain, subject to normal CA validation.&lt;br /&gt;
&lt;br /&gt;
=== Zone Transfer ===&lt;br /&gt;
&lt;br /&gt;
AXFR was attempted against both authoritative nameservers:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
dig AXFR 430.ch @ns11.infomaniak.ch&lt;br /&gt;
dig AXFR 430.ch @ns12.infomaniak.ch&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Result:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Transfer failed.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This is the desired behavior.&lt;br /&gt;
&lt;br /&gt;
== Certificate Transparency and Subdomains ==&lt;br /&gt;
&lt;br /&gt;
Certificate transparency lookup through &amp;lt;code&amp;gt;crt.sh&amp;lt;/code&amp;gt; exposed these names:&lt;br /&gt;
&lt;br /&gt;
Current or recent:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;staging.430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;wiki.430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Historical or not currently resolving during testing:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;www.430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;csgo.430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;2ca.430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
* Historical wildcard certificate entries for &amp;lt;code&amp;gt;*.430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Observed CT entries of interest:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
staging.430.ch&lt;br /&gt;
  Issuer: Let&#039;s Encrypt YE2&lt;br /&gt;
  not_before: 2026-07-09T15:11:48&lt;br /&gt;
  not_after:  2026-10-07T15:11:47&lt;br /&gt;
&lt;br /&gt;
ov.430.ch&lt;br /&gt;
  Issuer: Let&#039;s Encrypt YE1&lt;br /&gt;
  not_before: 2026-07-03T20:43:41&lt;br /&gt;
  not_after:  2026-10-01T20:43:40&lt;br /&gt;
&lt;br /&gt;
wiki.430.ch&lt;br /&gt;
  Issuer: Let&#039;s Encrypt YE1&lt;br /&gt;
  not_before: 2026-07-03T14:41:56&lt;br /&gt;
  not_after:  2026-10-01T14:41:55&lt;br /&gt;
&lt;br /&gt;
430.ch&lt;br /&gt;
  Issuer: ZeroSSL ECC DV SSL CA 2&lt;br /&gt;
  not_before: 2026-06-19T00:00:00&lt;br /&gt;
  not_after:  2026-09-17T23:59:59&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Current DNS resolution during testing:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
430.ch&lt;br /&gt;
  A:    83.228.241.21&lt;br /&gt;
  AAAA: 2001:1600:18:102::167&lt;br /&gt;
&lt;br /&gt;
staging.430.ch&lt;br /&gt;
  CNAME-style answer via 430.ch&lt;br /&gt;
  A:    83.228.241.21&lt;br /&gt;
  AAAA: 2001:1600:18:102::167&lt;br /&gt;
&lt;br /&gt;
wiki.430.ch&lt;br /&gt;
  CNAME-style answer via 430.ch&lt;br /&gt;
  A:    83.228.241.21&lt;br /&gt;
  AAAA: 2001:1600:18:102::167&lt;br /&gt;
&lt;br /&gt;
ov.430.ch&lt;br /&gt;
  A:    83.228.241.25&lt;br /&gt;
  AAAA: 2001:1600:18:102::26f&lt;br /&gt;
&lt;br /&gt;
www.430.ch&lt;br /&gt;
  No resolution during testing&lt;br /&gt;
&lt;br /&gt;
csgo.430.ch&lt;br /&gt;
  No resolution during testing&lt;br /&gt;
&lt;br /&gt;
2ca.430.ch&lt;br /&gt;
  No resolution during testing&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Source used:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;https://crt.sh/?q=%25.430.ch&amp;amp;amp;output=json&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== HTTP and HTTPS Findings ==&lt;br /&gt;
&lt;br /&gt;
=== Apex HTTP ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;http://430.ch/&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/1.1 308 Permanent Redirect&lt;br /&gt;
Location: https://430.ch/&lt;br /&gt;
Server: Caddy&lt;br /&gt;
Content-Length: 0&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Apex HTTPS ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;https://430.ch/&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/2 200&lt;br /&gt;
accept-ranges: bytes&lt;br /&gt;
access-control-allow-credentials: true&lt;br /&gt;
access-control-allow-origin:&lt;br /&gt;
access-control-expose-headers: *&lt;br /&gt;
alt-svc: h3=&amp;quot;:443&amp;quot;; ma=2592000&lt;br /&gt;
content-type: text/html; charset=utf-8&lt;br /&gt;
etag: &amp;quot;thv7n5xd&amp;quot;&lt;br /&gt;
last-modified: Wed, 08 Jul 2026 16:40:17 GMT&lt;br /&gt;
server: Caddy&lt;br /&gt;
vary: Origin&lt;br /&gt;
content-length: 1201&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
With an explicit origin header:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
curl -H &#039;Origin: https://example.com&#039; https://430.ch/&lt;br /&gt;
&lt;br /&gt;
access-control-allow-credentials: true&lt;br /&gt;
access-control-allow-origin: https://example.com&lt;br /&gt;
access-control-expose-headers: *&lt;br /&gt;
vary: Origin&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* The server reflects arbitrary origins and allows credentials.&lt;br /&gt;
* Current content is static, so the practical risk is limited today.&lt;br /&gt;
* This is still broader than necessary unless cross-origin credentialed reads are deliberately needed.&lt;br /&gt;
&lt;br /&gt;
=== Root Page Content ===&lt;br /&gt;
&lt;br /&gt;
The root HTML:&lt;br /&gt;
&lt;br /&gt;
* Has title &amp;lt;code&amp;gt;430.ch&amp;lt;/code&amp;gt;.&lt;br /&gt;
* Uses inline CSS.&lt;br /&gt;
* Displays an image with id &amp;lt;code&amp;gt;bopis&amp;lt;/code&amp;gt;.&lt;br /&gt;
* The image source is selected by JavaScript from &amp;lt;code&amp;gt;/m/1.webp&amp;lt;/code&amp;gt; through &amp;lt;code&amp;gt;/m/6.webp&amp;lt;/code&amp;gt;.&lt;br /&gt;
* Changes the image every 10 seconds.&lt;br /&gt;
* Links:&lt;br /&gt;
** &amp;lt;code&amp;gt;/m/&amp;lt;/code&amp;gt;&lt;br /&gt;
** &amp;lt;code&amp;gt;/contact-us/&amp;lt;/code&amp;gt;&lt;br /&gt;
** &amp;lt;code&amp;gt;https://noctron.ch/&amp;lt;/code&amp;gt;&lt;br /&gt;
** &amp;lt;code&amp;gt;https://aivaras.xyz/&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Relevant source excerpt:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&amp;lt;a href=&amp;quot;/m/&amp;quot;&amp;gt; &amp;lt;img id=&amp;quot;bopis&amp;quot;&amp;gt; &amp;lt;/a&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p&amp;gt;&lt;br /&gt;
    &amp;lt;s&amp;gt;&amp;amp;#169;&amp;lt;/s&amp;gt; 430.ch | &amp;lt;a href=&amp;quot;/contact-us/&amp;quot;&amp;gt;Contact Us&amp;lt;/a&amp;gt; | See also: &amp;lt;a href=&amp;quot;https://noctron.ch/&amp;quot;&amp;gt;noctron.ch&amp;lt;/a&amp;gt;, &amp;lt;a href=&amp;quot;https://aivaras.xyz/&amp;quot;&amp;gt;aivaras.xyz&amp;lt;/a&amp;gt;&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;script type=&amp;quot;text/javascript&amp;quot;&amp;gt;&lt;br /&gt;
    var photos = [&amp;quot;1.webp&amp;quot;, &amp;quot;2.webp&amp;quot;, &amp;quot;3.webp&amp;quot;, &amp;quot;4.webp&amp;quot;, &amp;quot;5.webp&amp;quot;, &amp;quot;6.webp&amp;quot;];&lt;br /&gt;
    ...&lt;br /&gt;
    document.getElementById(&amp;quot;bopis&amp;quot;).src = &amp;quot;/m/&amp;quot; + photos[i];&lt;br /&gt;
&amp;lt;/script&amp;gt;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Robots, Sitemap, and Well-Known Files ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;https://430.ch/robots.txt&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
User-agent: *&lt;br /&gt;
Allow: /&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Not present:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;https://430.ch/sitemap.xml&amp;lt;/code&amp;gt; returned &amp;lt;code&amp;gt;404&amp;lt;/code&amp;gt;.&lt;br /&gt;
* &amp;lt;code&amp;gt;https://430.ch/.well-known/security.txt&amp;lt;/code&amp;gt; returned &amp;lt;code&amp;gt;404&amp;lt;/code&amp;gt;.&lt;br /&gt;
* Historical Web Archive entries existed for various &amp;lt;code&amp;gt;.well-known&amp;lt;/code&amp;gt; paths, but current live checks returned &amp;lt;code&amp;gt;404&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
Current live checks returning &amp;lt;code&amp;gt;404&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;/.well-known/ai-plugin.json&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;/.well-known/dnt-policy.txt&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;/.well-known/gpc.json&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;/.well-known/nodeinfo&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;/.well-known/openid-configuration&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;/ads.txt&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;/app-ads.txt&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;/info/&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;/search/&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Missing Stylesheet ===&lt;br /&gt;
&lt;br /&gt;
Several pages reference:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
https://430.ch/style.css&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Current result:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/2 404&lt;br /&gt;
server: Caddy&lt;br /&gt;
content-length: 0&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Impact:&lt;br /&gt;
&lt;br /&gt;
* Cosmetic / hygiene issue.&lt;br /&gt;
* It may produce avoidable browser console noise.&lt;br /&gt;
&lt;br /&gt;
=== &amp;lt;code&amp;gt;/m/&amp;lt;/code&amp;gt; Directory ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;https://430.ch/m/&amp;lt;/code&amp;gt; is a public Caddy directory listing.&lt;br /&gt;
&lt;br /&gt;
Files discovered:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
1.webp  218 KiB&lt;br /&gt;
2.webp  119 KiB&lt;br /&gt;
3.webp  112 KiB&lt;br /&gt;
4.webp  349 KiB&lt;br /&gt;
5.webp  173 KiB&lt;br /&gt;
6.webp  290 KiB&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The directory index includes sortable Caddy listing links:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
?sort=namedirfirst&amp;amp;order=desc&lt;br /&gt;
?sort=name&amp;amp;order=asc&lt;br /&gt;
?sort=size&amp;amp;order=asc&lt;br /&gt;
?sort=time&amp;amp;order=asc&lt;br /&gt;
?sort=namedirfirst&amp;amp;order=asc&lt;br /&gt;
?sort=name&amp;amp;order=desc&lt;br /&gt;
?sort=size&amp;amp;order=desc&lt;br /&gt;
?sort=time&amp;amp;order=desc&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The mirrored copies are stored in:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
/root/recon-430ch/wget/430.ch/m/&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== &amp;lt;code&amp;gt;/contact-us/&amp;lt;/code&amp;gt; ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;https://430.ch/contact-us/&amp;lt;/code&amp;gt; is a small static page.&lt;br /&gt;
&lt;br /&gt;
HTML:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&amp;lt;!DOCTYPE html&amp;gt;&lt;br /&gt;
&amp;lt;html&amp;gt; &amp;lt;head&amp;gt;&lt;br /&gt;
    &amp;lt;title&amp;gt;Contact Us&amp;lt;/title&amp;gt;&lt;br /&gt;
    &amp;lt;link rel=&amp;quot;stylesheet&amp;quot; href=&amp;quot;https://430.ch/style.css&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;/head&amp;gt; &amp;lt;body&amp;gt;&lt;br /&gt;
    &amp;lt;center&amp;gt;&lt;br /&gt;
        &amp;lt;img src=&amp;quot;1.png&amp;quot; alt=&amp;quot;meighl at four hundred and thirty dot ch&amp;quot;&amp;gt;&lt;br /&gt;
    &amp;lt;/center&amp;gt;&lt;br /&gt;
&amp;lt;/body&amp;gt; &amp;lt;/html&amp;gt;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The image alt text exposes a likely contact address:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
meighl@430.ch&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This is already public in machine-readable HTML despite being visually represented by an image.&lt;br /&gt;
&lt;br /&gt;
=== Linked External Domains ===&lt;br /&gt;
&lt;br /&gt;
The root page links &amp;lt;code&amp;gt;noctron.ch&amp;lt;/code&amp;gt; and &amp;lt;code&amp;gt;aivaras.xyz&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
Both resolved to the same host as the apex:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
noctron.ch&lt;br /&gt;
  A:    83.228.241.21&lt;br /&gt;
  AAAA: 2001:1600:18:102::167&lt;br /&gt;
&lt;br /&gt;
aivaras.xyz&lt;br /&gt;
  A:    83.228.241.21&lt;br /&gt;
  AAAA: 2001:1600:18:102::167&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;https://noctron.ch/&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&amp;lt;title&amp;gt;noctron.ch&amp;lt;/title&amp;gt;&lt;br /&gt;
&amp;lt;link rel=&amp;quot;stylesheet&amp;quot; href=&amp;quot;https://430.ch/style.css&amp;quot;&amp;gt;&lt;br /&gt;
...&lt;br /&gt;
&amp;lt;a href=&amp;quot;https://noctron.ch/&amp;quot;&amp;gt;noctron.ch&amp;lt;/a&amp;gt; &amp;amp;rarr; &amp;lt;a href=&amp;quot;https://430.ch/&amp;quot;&amp;gt;430.ch&amp;lt;/a&amp;gt;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;https://aivaras.xyz/&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&amp;lt;title&amp;gt;aivaras.xyz&amp;lt;/title&amp;gt;&lt;br /&gt;
&amp;lt;link rel=&amp;quot;stylesheet&amp;quot; href=&amp;quot;https://430.ch/style.css&amp;quot;&amp;gt;&lt;br /&gt;
...&lt;br /&gt;
&amp;lt;a href=&amp;quot;https://aivaras.xyz/&amp;quot;&amp;gt;aivaras.xyz&amp;lt;/a&amp;gt; &amp;amp;rarr; &amp;lt;a href=&amp;quot;https://430.ch/&amp;quot;&amp;gt;430.ch&amp;lt;/a&amp;gt;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Both also reference the missing &amp;lt;code&amp;gt;https://430.ch/style.css&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Hostname-Specific Behavior ==&lt;br /&gt;
&lt;br /&gt;
=== &amp;lt;code&amp;gt;staging.430.ch&amp;lt;/code&amp;gt; ===&lt;br /&gt;
&lt;br /&gt;
Resolution:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
staging.430.ch -&amp;gt; 430.ch -&amp;gt; 83.228.241.21 / 2001:1600:18:102::167&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
HTTP:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/1.1 308 Permanent Redirect&lt;br /&gt;
Location: https://staging.430.ch/&lt;br /&gt;
Server: Caddy&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
HTTPS:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/2 200&lt;br /&gt;
server: Caddy&lt;br /&gt;
content-type: text/html; charset=utf-8&lt;br /&gt;
content-length: 61&lt;br /&gt;
last-modified: Thu, 09 Jul 2026 16:13:09 GMT&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Body:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;refresh&amp;quot; content=&amp;quot;0; url=https://430.ch/&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* This is live and public.&lt;br /&gt;
* It is a simple redirect-by-meta-refresh rather than an HTTP redirect.&lt;br /&gt;
&lt;br /&gt;
=== &amp;lt;code&amp;gt;wiki.430.ch&amp;lt;/code&amp;gt; ===&lt;br /&gt;
&lt;br /&gt;
Resolution:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
wiki.430.ch -&amp;gt; 430.ch -&amp;gt; 83.228.241.21 / 2001:1600:18:102::167&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
HTTP:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/1.1 308 Permanent Redirect&lt;br /&gt;
Location: https://wiki.430.ch/&lt;br /&gt;
Server: Caddy&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
HTTPS headers:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/2 200&lt;br /&gt;
server: Caddy&lt;br /&gt;
server: Apache/2.4.67 (Debian)&lt;br /&gt;
content-type: text/html; charset=UTF-8&lt;br /&gt;
cache-control: no-cache, no-store, max-age=0, must-revalidate&lt;br /&gt;
expires: Thu, 01 Jan 1970 00:00:00 GMT&lt;br /&gt;
x-content-type-options: nosniff&lt;br /&gt;
x-frame-options: DENY&lt;br /&gt;
x-powered-by: PHP/8.3.32&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Page:&lt;br /&gt;
&lt;br /&gt;
* Title: &amp;lt;code&amp;gt;Login required - Aivaropedia&amp;lt;/code&amp;gt;&lt;br /&gt;
* Generator meta tag: &amp;lt;code&amp;gt;MediaWiki 1.46.0&amp;lt;/code&amp;gt;&lt;br /&gt;
* Site name: &amp;lt;code&amp;gt;Aivaropedia&amp;lt;/code&amp;gt;&lt;br /&gt;
* Anonymous page body: &amp;lt;code&amp;gt;Please log in to view other pages.&amp;lt;/code&amp;gt;&lt;br /&gt;
* Search UI is visible.&lt;br /&gt;
* Login link is visible.&lt;br /&gt;
* Atom feed link for &amp;lt;code&amp;gt;Special:RecentChanges&amp;lt;/code&amp;gt; is advertised in HTML.&lt;br /&gt;
&lt;br /&gt;
API read attempt:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
{&lt;br /&gt;
  &amp;quot;error&amp;quot;: {&lt;br /&gt;
    &amp;quot;code&amp;quot;: &amp;quot;readapidenied&amp;quot;,&lt;br /&gt;
    &amp;quot;info&amp;quot;: &amp;quot;You need read permission to use this module.&amp;quot;,&lt;br /&gt;
    &amp;quot;*&amp;quot;: &amp;quot;See https://wiki.430.ch/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at &amp;lt;https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/&amp;gt; for notice of API deprecations and breaking changes.&amp;quot;&lt;br /&gt;
  }&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* Read access is denied via the API, which is consistent with a private wiki.&lt;br /&gt;
* Some platform information is still exposed in HTML and headers:&lt;br /&gt;
** MediaWiki 1.46.0&lt;br /&gt;
** PHP 8.3.32&lt;br /&gt;
** Apache 2.4.67 (Debian)&lt;br /&gt;
* &amp;lt;code&amp;gt;X-Frame-Options: DENY&amp;lt;/code&amp;gt; and &amp;lt;code&amp;gt;X-Content-Type-Options: nosniff&amp;lt;/code&amp;gt; are present.&lt;br /&gt;
* HSTS is not configured.&lt;br /&gt;
&lt;br /&gt;
=== &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; ===&lt;br /&gt;
&lt;br /&gt;
Resolution:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
ov.430.ch A    83.228.241.25&lt;br /&gt;
ov.430.ch AAAA 2001:1600:18:102::26f&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
HTTP:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/1.1 308 Permanent Redirect&lt;br /&gt;
Location: https://ov.430.ch/&lt;br /&gt;
Server: Caddy&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
HTTPS:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/2 301&lt;br /&gt;
location: https://ov.430.ch/index.php/Main_Page&lt;br /&gt;
server: Caddy&lt;br /&gt;
server: Apache/2.4.67 (Debian)&lt;br /&gt;
x-content-type-options: nosniff&lt;br /&gt;
x-powered-by: PHP/8.3.32&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
After redirect:&lt;br /&gt;
&lt;br /&gt;
* Page title: &amp;lt;code&amp;gt;Marcopedia&amp;lt;/code&amp;gt;&lt;br /&gt;
* Main page: &amp;lt;code&amp;gt;Main Page&amp;lt;/code&amp;gt;&lt;br /&gt;
* Generator meta tag: &amp;lt;code&amp;gt;MediaWiki 1.46.0&amp;lt;/code&amp;gt;&lt;br /&gt;
* Default content: &amp;lt;code&amp;gt;MediaWiki has been installed.&amp;lt;/code&amp;gt;&lt;br /&gt;
* The page is probably editable for anonymous users according to &amp;lt;code&amp;gt;RLCONF&amp;lt;/code&amp;gt;:&lt;br /&gt;
** &amp;lt;code&amp;gt;wgIsProbablyEditable: true&amp;lt;/code&amp;gt;&lt;br /&gt;
** &amp;lt;code&amp;gt;wgRelevantPageIsProbablyEditable: true&amp;lt;/code&amp;gt;&lt;br /&gt;
** &amp;lt;code&amp;gt;wgRestrictionEdit: []&amp;lt;/code&amp;gt;&lt;br /&gt;
** &amp;lt;code&amp;gt;wgRestrictionMove: []&amp;lt;/code&amp;gt;&lt;br /&gt;
* Personal tools include:&lt;br /&gt;
** Create account&lt;br /&gt;
** Log in&lt;br /&gt;
** Anonymous talk/contributions links&lt;br /&gt;
&lt;br /&gt;
Important note:&lt;br /&gt;
&lt;br /&gt;
* I did not try to edit, create an account, or write through the API.&lt;br /&gt;
* The editability observation is based on public MediaWiki page configuration and UI, not a write attempt.&lt;br /&gt;
&lt;br /&gt;
== MediaWiki &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; API Findings ==&lt;br /&gt;
&lt;br /&gt;
Public siteinfo endpoint:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
https://ov.430.ch/api.php?action=query&amp;amp;meta=siteinfo&amp;amp;siprop=general|namespaces|statistics|extensions|skins&amp;amp;format=json&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
General:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
mainpage: Main Page&lt;br /&gt;
base: https://ov.430.ch/index.php/Main_Page&lt;br /&gt;
sitename: Marcopedia&lt;br /&gt;
generator: MediaWiki 1.46.0&lt;br /&gt;
phpversion: 8.3.32&lt;br /&gt;
phpsapi: apache2handler&lt;br /&gt;
dbtype: mysql&lt;br /&gt;
dbversion: 12.3.2-MariaDB-ubu2404&lt;br /&gt;
lang: en&lt;br /&gt;
timezone: UTC&lt;br /&gt;
articlepath: /index.php/$1&lt;br /&gt;
scriptpath:&lt;br /&gt;
script: /index.php&lt;br /&gt;
server: https://ov.430.ch&lt;br /&gt;
servername: ov.430.ch&lt;br /&gt;
wikiid: my_wiki&lt;br /&gt;
maxuploadsize: 104857600&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Statistics:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
pages: 1&lt;br /&gt;
articles: 0&lt;br /&gt;
edits: 1&lt;br /&gt;
images: 0&lt;br /&gt;
users: 2&lt;br /&gt;
activeusers: 1&lt;br /&gt;
admins: 2&lt;br /&gt;
jobs: 0&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Skins:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
MinervaNeue&lt;br /&gt;
MonoBook&lt;br /&gt;
Timeless 0.9.1&lt;br /&gt;
Vector 1.0.0&lt;br /&gt;
Vector legacy (2010) default&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Extension:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
MediaWikiChat&lt;br /&gt;
version: 2.25.0&lt;br /&gt;
author: Adam Carter/UltrasonicNXT&lt;br /&gt;
vcs-version: f19bf98d07cdeeaefcceab81dcdd407b039d4451&lt;br /&gt;
vcs-date: 2026-06-15T08:20:07Z&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Public allusers query:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
{&lt;br /&gt;
  &amp;quot;userid&amp;quot;: 3,&lt;br /&gt;
  &amp;quot;name&amp;quot;: &amp;quot;Aivaras&amp;quot;,&lt;br /&gt;
  &amp;quot;editcount&amp;quot;: 1,&lt;br /&gt;
  &amp;quot;registration&amp;quot;: &amp;quot;2026-07-03T22:32:35Z&amp;quot;,&lt;br /&gt;
  &amp;quot;groups&amp;quot;: [&amp;quot;*&amp;quot;, &amp;quot;user&amp;quot;, &amp;quot;autoconfirmed&amp;quot;, &amp;quot;bot&amp;quot;, &amp;quot;bureaucrat&amp;quot;, &amp;quot;interface-admin&amp;quot;, &amp;quot;suppress&amp;quot;, &amp;quot;sysop&amp;quot;]&lt;br /&gt;
}&lt;br /&gt;
{&lt;br /&gt;
  &amp;quot;userid&amp;quot;: 2,&lt;br /&gt;
  &amp;quot;name&amp;quot;: &amp;quot;Marco&amp;quot;,&lt;br /&gt;
  &amp;quot;editcount&amp;quot;: 0,&lt;br /&gt;
  &amp;quot;registration&amp;quot;: &amp;quot;2026-07-03T21:39:57Z&amp;quot;,&lt;br /&gt;
  &amp;quot;groups&amp;quot;: [&amp;quot;*&amp;quot;, &amp;quot;user&amp;quot;, &amp;quot;autoconfirmed&amp;quot;, &amp;quot;bureaucrat&amp;quot;, &amp;quot;interface-admin&amp;quot;, &amp;quot;sysop&amp;quot;]&lt;br /&gt;
}&lt;br /&gt;
{&lt;br /&gt;
  &amp;quot;userid&amp;quot;: 1,&lt;br /&gt;
  &amp;quot;name&amp;quot;: &amp;quot;MediaWiki default&amp;quot;,&lt;br /&gt;
  &amp;quot;editcount&amp;quot;: 0,&lt;br /&gt;
  &amp;quot;registration&amp;quot;: &amp;quot;2026-07-03T21:39:57Z&amp;quot;,&lt;br /&gt;
  &amp;quot;groups&amp;quot;: [&amp;quot;*&amp;quot;, &amp;quot;user&amp;quot;, &amp;quot;autoconfirmed&amp;quot;]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Recent changes:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
2026-07-04T10:35:06Z&lt;br /&gt;
  type: new&lt;br /&gt;
  title: Marco&lt;br /&gt;
  user: Aivaras&lt;br /&gt;
  comment: Created blank page&lt;br /&gt;
&lt;br /&gt;
2026-07-03T22:35:07Z&lt;br /&gt;
  type: log&lt;br /&gt;
  title: User:Aivaras&lt;br /&gt;
  user: Marco&lt;br /&gt;
&lt;br /&gt;
2026-07-03T22:34:31Z&lt;br /&gt;
  type: log&lt;br /&gt;
  title: User:Aivaras&lt;br /&gt;
  user: Marco&lt;br /&gt;
&lt;br /&gt;
2026-07-03T22:34:11Z&lt;br /&gt;
  type: log&lt;br /&gt;
  title: User:Aivaras&lt;br /&gt;
  user: Marco&lt;br /&gt;
&lt;br /&gt;
2026-07-03T22:32:35Z&lt;br /&gt;
  type: log&lt;br /&gt;
  title: User:Aivaras&lt;br /&gt;
  user: Aivaras&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Log events:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
2026-07-04T10:35:06Z&lt;br /&gt;
  create: Marco&lt;br /&gt;
  user: Aivaras&lt;br /&gt;
  comment: Created blank page&lt;br /&gt;
&lt;br /&gt;
2026-07-03T22:35:07Z&lt;br /&gt;
  rights change for User:Aivaras&lt;br /&gt;
  user: Marco&lt;br /&gt;
  oldgroups: bureaucrat, sysop&lt;br /&gt;
  newgroups: bot, bureaucrat, interface-admin, suppress, sysop&lt;br /&gt;
&lt;br /&gt;
2026-07-03T22:34:31Z&lt;br /&gt;
  rights change for User:Aivaras&lt;br /&gt;
  user: Marco&lt;br /&gt;
  oldgroups: sysop&lt;br /&gt;
  newgroups: bureaucrat, sysop&lt;br /&gt;
&lt;br /&gt;
2026-07-03T22:34:11Z&lt;br /&gt;
  rights change for User:Aivaras&lt;br /&gt;
  user: Marco&lt;br /&gt;
  oldgroups: none&lt;br /&gt;
  newgroups: sysop&lt;br /&gt;
&lt;br /&gt;
2026-07-03T22:32:35Z&lt;br /&gt;
  new user: Aivaras&lt;br /&gt;
  created by: Aivaras&lt;br /&gt;
&lt;br /&gt;
2026-07-03T21:39:57Z&lt;br /&gt;
  create: Main Page&lt;br /&gt;
  user: MediaWiki default&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Anonymous CSRF token request:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
{&amp;quot;batchcomplete&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;query&amp;quot;:{&amp;quot;tokens&amp;quot;:{&amp;quot;csrftoken&amp;quot;:&amp;quot;+\\&amp;quot;}}}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* This is the normal anonymous no-permission token and does not indicate successful write capability.&lt;br /&gt;
* No write was attempted.&lt;br /&gt;
&lt;br /&gt;
== TLS Findings ==&lt;br /&gt;
&lt;br /&gt;
=== Certificates ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;430.ch&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
subject=CN=430.ch&lt;br /&gt;
issuer=C=AT, O=ZeroSSL GmbH, CN=ZeroSSL ECC DV SSL CA 2&lt;br /&gt;
notBefore=Jun 19 00:00:00 2026 GMT&lt;br /&gt;
notAfter=Sep 17 23:59:59 2026 GMT&lt;br /&gt;
SAN: DNS:430.ch&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
subject=CN=ov.430.ch&lt;br /&gt;
issuer=C=US, O=Let&#039;s Encrypt, CN=YE1&lt;br /&gt;
notBefore=Jul  3 20:43:41 2026 GMT&lt;br /&gt;
notAfter=Oct  1 20:43:40 2026 GMT&lt;br /&gt;
SAN: DNS:ov.430.ch&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;wiki.430.ch&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
subject=CN=wiki.430.ch&lt;br /&gt;
issuer=C=US, O=Let&#039;s Encrypt, CN=YE1&lt;br /&gt;
notBefore=Jul  3 14:41:56 2026 GMT&lt;br /&gt;
notAfter=Oct  1 14:41:55 2026 GMT&lt;br /&gt;
SAN: DNS:wiki.430.ch&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;staging.430.ch&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
subject=CN=staging.430.ch&lt;br /&gt;
issuer=C=US, O=Let&#039;s Encrypt, CN=YE2&lt;br /&gt;
notBefore=Jul  9 15:11:48 2026 GMT&lt;br /&gt;
notAfter=Oct  7 15:11:47 2026 GMT&lt;br /&gt;
SAN: DNS:staging.430.ch&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Protocols and Ciphers ===&lt;br /&gt;
&lt;br /&gt;
Nmap &amp;lt;code&amp;gt;ssl-enum-ciphers&amp;lt;/code&amp;gt; found TLS 1.2 and TLS 1.3 across &amp;lt;code&amp;gt;430.ch&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;wiki.430.ch&amp;lt;/code&amp;gt;, and &amp;lt;code&amp;gt;staging.430.ch&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
TLS 1.2 ciphers:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - A&lt;br /&gt;
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - A&lt;br /&gt;
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - A&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
TLS 1.3 ciphers:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
TLS_AKE_WITH_AES_128_GCM_SHA256 - A&lt;br /&gt;
TLS_AKE_WITH_AES_256_GCM_SHA384 - A&lt;br /&gt;
TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 - A&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Nmap reported:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
least strength: A&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Manual &amp;lt;code&amp;gt;openssl s_client&amp;lt;/code&amp;gt; checks verified successful TLS 1.2 and TLS 1.3 negotiation. TLS 1.0/1.1 forced checks did not negotiate TLS 1.0/1.1.&lt;br /&gt;
&lt;br /&gt;
=== HSTS ===&lt;br /&gt;
&lt;br /&gt;
Nmap &amp;lt;code&amp;gt;http-security-headers&amp;lt;/code&amp;gt; reported HSTS missing for:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;wiki.430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
* &amp;lt;code&amp;gt;staging.430.ch&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Strict_Transport_Security:&lt;br /&gt;
  HSTS not configured in HTTPS Server&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Recommendation:&lt;br /&gt;
&lt;br /&gt;
Add HSTS after confirming all subdomains intended to use HTTPS are ready:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Use &amp;lt;code&amp;gt;includeSubDomains&amp;lt;/code&amp;gt; and &amp;lt;code&amp;gt;preload&amp;lt;/code&amp;gt; only if you are comfortable committing all subdomains to HTTPS.&lt;br /&gt;
&lt;br /&gt;
== Network Service Findings ==&lt;br /&gt;
&lt;br /&gt;
=== Full TCP Scan Summary ===&lt;br /&gt;
&lt;br /&gt;
IPv4 full TCP scan command:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
nmap -Pn -sS -T3 -p- --max-retries 2 83.228.241.21 83.228.241.25 -oN /root/recon-430ch/nmap-ipv4-full.txt&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
IPv6 full TCP scan command:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
nmap -Pn -6 -sT -T3 -p- --max-retries 2 2001:1600:18:102::167 2001:1600:18:102::26f -oN /root/recon-430ch/nmap-ipv6-full.txt&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;83.228.241.21&amp;lt;/code&amp;gt; / &amp;lt;code&amp;gt;2001:1600:18:102::167&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
22/tcp  open  ssh&lt;br /&gt;
80/tcp  open  http&lt;br /&gt;
443/tcp open  https&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
IPv4 notes:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Not shown: 65532 filtered tcp ports (no-response)&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
IPv6 notes:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Not shown: 65532 filtered tcp ports (no-response)&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;83.228.241.25&amp;lt;/code&amp;gt; / &amp;lt;code&amp;gt;2001:1600:18:102::26f&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
IPv4:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
22/tcp   open     ssh&lt;br /&gt;
80/tcp   open     http&lt;br /&gt;
443/tcp  open     https&lt;br /&gt;
5355/tcp open     llmnr&lt;br /&gt;
6567/tcp open     esp&lt;br /&gt;
8080/tcp filtered http-proxy&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
IPv6:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
22/tcp   open  ssh&lt;br /&gt;
80/tcp   open  http&lt;br /&gt;
443/tcp  open  https&lt;br /&gt;
5355/tcp open  llmnr&lt;br /&gt;
6567/tcp open  esp&lt;br /&gt;
8080/tcp open  http-proxy&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Nmap labels for &amp;lt;code&amp;gt;5355&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;6567&amp;lt;/code&amp;gt;, and &amp;lt;code&amp;gt;8080&amp;lt;/code&amp;gt; should be interpreted carefully:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;5355&amp;lt;/code&amp;gt; is conventionally LLMNR, but version probes did not complete with a more certain identification before being stopped.&lt;br /&gt;
* &amp;lt;code&amp;gt;6567&amp;lt;/code&amp;gt; was labeled &amp;lt;code&amp;gt;esp?&amp;lt;/code&amp;gt; by nmap because the response fingerprint was not recognized. The port number and behavior align with a likely game service, especially Mindustry.&lt;br /&gt;
* &amp;lt;code&amp;gt;8080&amp;lt;/code&amp;gt; on IPv6 was confirmed by service detection as Apache HTTPD &amp;lt;code&amp;gt;2.4.67 (Debian)&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
=== Top-Port Version Scan ===&lt;br /&gt;
&lt;br /&gt;
Top-port version scan found:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;430.ch&amp;lt;/code&amp;gt; host:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
22/tcp  open  ssh        OpenSSH 10.0p2 Debian 7+deb13u4 (protocol 2.0)&lt;br /&gt;
80/tcp  open  http       Caddy httpd&lt;br /&gt;
443/tcp open  ssl/https?&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; host:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
22/tcp   open     ssh        OpenSSH 10.0p2 Debian 7+deb13u4 (protocol 2.0)&lt;br /&gt;
80/tcp   open     http       Caddy httpd&lt;br /&gt;
443/tcp  open     ssl/https?&lt;br /&gt;
6567/tcp open     esp?&lt;br /&gt;
8080/tcp filtered http-proxy   (IPv4)&lt;br /&gt;
8080/tcp open     http         Apache httpd 2.4.67 ((Debian))   (IPv6)&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Port 8080 on &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; ===&lt;br /&gt;
&lt;br /&gt;
IPv6 direct request:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
curl -g -D - -o /dev/null &#039;http://[2001:1600:18:102::26f]:8080/&#039;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Result:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
HTTP/1.1 301 Moved Permanently&lt;br /&gt;
Server: Apache/2.4.67 (Debian)&lt;br /&gt;
X-Powered-By: PHP/8.3.32&lt;br /&gt;
X-Content-Type-Options: nosniff&lt;br /&gt;
Vary: Accept-Encoding,Cookie&lt;br /&gt;
Expires: Thu, 01 Jan 1970 00:00:00 GMT&lt;br /&gt;
Cache-Control: private, must-revalidate, max-age=0&lt;br /&gt;
Location: https://ov.430.ch/index.php/Main_Page&lt;br /&gt;
Content-Type: text/html; charset=UTF-8&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Same result with &amp;lt;code&amp;gt;Host: ov.430.ch&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* Apache/PHP/MediaWiki is directly reachable over IPv6 on port 8080.&lt;br /&gt;
* On IPv4, nmap saw &amp;lt;code&amp;gt;8080/tcp&amp;lt;/code&amp;gt; as &amp;lt;code&amp;gt;filtered&amp;lt;/code&amp;gt;.&lt;br /&gt;
* If Caddy is supposed to be the only public HTTP entry point, this is a firewall/bind-address mismatch.&lt;br /&gt;
&lt;br /&gt;
=== Port 6567 on &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; ===&lt;br /&gt;
&lt;br /&gt;
TCP version probes returned an unrecognized 8-byte binary response pattern on many payloads:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
\0\x06\xfe\x04...&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Nmap labeled it:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
6567/tcp open esp?&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Targeted UDP checks:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
6567/udp open|filtered esp&lt;br /&gt;
27015/udp closed        halflife       (on ov)&lt;br /&gt;
27016/udp closed        unknown        (on ov)&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On the main host, UDP checks for the small selected set were inconclusive:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
6567/udp  open|filtered&lt;br /&gt;
27015/udp open|filtered&lt;br /&gt;
27016/udp open|filtered&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;6567&amp;lt;/code&amp;gt; is the common/default Mindustry server port.&lt;br /&gt;
* Public Mindustry server docs say to allow port &amp;lt;code&amp;gt;6567&amp;lt;/code&amp;gt; TCP and UDP for server hosting.&lt;br /&gt;
* This does not prove Mindustry, but it is a strong hypothesis.&lt;br /&gt;
&lt;br /&gt;
Reference used:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;https://mindustrygame.github.io/wiki/servers/&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Port 5355 on &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; ===&lt;br /&gt;
&lt;br /&gt;
Full TCP scan found:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
5355/tcp open llmnr&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This appeared on both IPv4 and IPv6 for the &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; host.&lt;br /&gt;
&lt;br /&gt;
Targeted UDP checks returned:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
5355/udp open|filtered llmnr&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The version probes against TCP 5355 ran longer than useful and were stopped. No additional service fingerprint was collected.&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* Port 5355 is normally Link-Local Multicast Name Resolution (LLMNR).&lt;br /&gt;
* LLMNR is not normally useful on the public Internet.&lt;br /&gt;
* If this is truly LLMNR, it should not be exposed externally.&lt;br /&gt;
* If it is another custom service on port 5355, it should be documented and access-controlled.&lt;br /&gt;
&lt;br /&gt;
=== SSH ===&lt;br /&gt;
&lt;br /&gt;
Both hosts expose SSH:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
OpenSSH 10.0p2 Debian 7+deb13u4 (protocol 2.0)&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Recommendation:&lt;br /&gt;
&lt;br /&gt;
* Keep password authentication disabled if possible.&lt;br /&gt;
* Restrict SSH by source IP or VPN if feasible.&lt;br /&gt;
* Ensure root login is disabled.&lt;br /&gt;
* Monitor auth logs.&lt;br /&gt;
&lt;br /&gt;
No authentication attempts were made.&lt;br /&gt;
&lt;br /&gt;
== Shodan InternetDB ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;https://internetdb.shodan.io/83.228.241.21&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
{&lt;br /&gt;
  &amp;quot;cpes&amp;quot;: [&amp;quot;cpe:/a:golang:go&amp;quot;, &amp;quot;cpe:/a:caddyserver:caddy&amp;quot;],&lt;br /&gt;
  &amp;quot;hostnames&amp;quot;: [&amp;quot;ov-7fb696.infomaniak.ch&amp;quot;],&lt;br /&gt;
  &amp;quot;ip&amp;quot;: &amp;quot;83.228.241.21&amp;quot;,&lt;br /&gt;
  &amp;quot;ports&amp;quot;: [80, 443],&lt;br /&gt;
  &amp;quot;tags&amp;quot;: [],&lt;br /&gt;
  &amp;quot;vulns&amp;quot;: []&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;https://internetdb.shodan.io/83.228.241.25&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
{&lt;br /&gt;
  &amp;quot;cpes&amp;quot;: [&lt;br /&gt;
    &amp;quot;cpe:/o:canonical:ubuntu_linux&amp;quot;,&lt;br /&gt;
    &amp;quot;cpe:/a:golang:go&amp;quot;,&lt;br /&gt;
    &amp;quot;cpe:/a:caddyserver:caddy&amp;quot;,&lt;br /&gt;
    &amp;quot;cpe:/a:openbsd:openssh:9.6p1&amp;quot;&lt;br /&gt;
  ],&lt;br /&gt;
  &amp;quot;hostnames&amp;quot;: [&amp;quot;ov-9520b2.infomaniak.ch&amp;quot;],&lt;br /&gt;
  &amp;quot;ip&amp;quot;: &amp;quot;83.228.241.25&amp;quot;,&lt;br /&gt;
  &amp;quot;ports&amp;quot;: [22, 80, 443],&lt;br /&gt;
  &amp;quot;tags&amp;quot;: [],&lt;br /&gt;
  &amp;quot;vulns&amp;quot;: []&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Note:&lt;br /&gt;
&lt;br /&gt;
* Shodan InternetDB did not list the extra &amp;lt;code&amp;gt;5355&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;6567&amp;lt;/code&amp;gt;, or IPv6 &amp;lt;code&amp;gt;8080&amp;lt;/code&amp;gt; findings found by direct nmap scanning.&lt;br /&gt;
* InternetDB can be stale or incomplete.&lt;br /&gt;
&lt;br /&gt;
== Recursive Mirror ==&lt;br /&gt;
&lt;br /&gt;
Command used for the apex:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
wget -r -l inf -np -E -k -p --restrict-file-names=windows -D 430.ch --no-verbose --directory-prefix=/root/recon-430ch/wget https://430.ch/&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Result:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Downloaded: 19 files, 1.5M&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Mirrored files:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
/root/recon-430ch/wget/430.ch/contact-us/1.png&lt;br /&gt;
/root/recon-430ch/wget/430.ch/contact-us/index.html&lt;br /&gt;
/root/recon-430ch/wget/430.ch/index.html&lt;br /&gt;
/root/recon-430ch/wget/430.ch/m/1.webp&lt;br /&gt;
/root/recon-430ch/wget/430.ch/m/2.webp&lt;br /&gt;
/root/recon-430ch/wget/430.ch/m/3.webp&lt;br /&gt;
/root/recon-430ch/wget/430.ch/m/4.webp&lt;br /&gt;
/root/recon-430ch/wget/430.ch/m/5.webp&lt;br /&gt;
/root/recon-430ch/wget/430.ch/m/6.webp&lt;br /&gt;
/root/recon-430ch/wget/430.ch/m/index.html&lt;br /&gt;
/root/recon-430ch/wget/430.ch/m/index.html@sort=name&amp;amp;order=asc.html&lt;br /&gt;
/root/recon-430ch/wget/430.ch/m/index.html@sort=name&amp;amp;order=desc.html&lt;br /&gt;
/root/recon-430ch/wget/430.ch/m/index.html@sort=namedirfirst&amp;amp;order=asc.html&lt;br /&gt;
/root/recon-430ch/wget/430.ch/m/index.html@sort=namedirfirst&amp;amp;order=desc.html&lt;br /&gt;
/root/recon-430ch/wget/430.ch/m/index.html@sort=size&amp;amp;order=asc.html&lt;br /&gt;
/root/recon-430ch/wget/430.ch/m/index.html@sort=size&amp;amp;order=desc.html&lt;br /&gt;
/root/recon-430ch/wget/430.ch/m/index.html@sort=time&amp;amp;order=asc.html&lt;br /&gt;
/root/recon-430ch/wget/430.ch/m/index.html@sort=time&amp;amp;order=desc.html&lt;br /&gt;
/root/recon-430ch/wget/430.ch/robots.txt&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Explicit checks for paths seen in search results:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
https://430.ch/f/       -&amp;gt; 404&lt;br /&gt;
https://430.ch/yagpab/  -&amp;gt; 404&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The Google cache endpoint did not return usable cached copies of those paths during testing.&lt;br /&gt;
&lt;br /&gt;
== Image and File Metadata ==&lt;br /&gt;
&lt;br /&gt;
File type summary:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
1.webp: WebP, 3060x4080&lt;br /&gt;
2.webp: WebP, 1932x2576&lt;br /&gt;
3.webp: WebP, 1932x2576&lt;br /&gt;
4.webp: WebP, 3060x4080&lt;br /&gt;
5.webp: WebP, 3060x4080&lt;br /&gt;
6.webp: WebP, 4080x3060&lt;br /&gt;
contact-us/1.png: PNG, 1600x300&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
ExifTool findings:&lt;br /&gt;
&lt;br /&gt;
The six WebP files contained basic file/image structure only:&lt;br /&gt;
&lt;br /&gt;
* File type: WEBP&lt;br /&gt;
* Dimensions&lt;br /&gt;
* No EXIF camera metadata observed.&lt;br /&gt;
* No GPS metadata observed.&lt;br /&gt;
&lt;br /&gt;
The contact PNG retained metadata:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
FileType: PNG&lt;br /&gt;
ImageSize: 1600x300&lt;br /&gt;
Software: GIMP 2.10.36&lt;br /&gt;
HistorySoftwareAgent: Gimp 2.10 (Linux)&lt;br /&gt;
ModifyDate: 2026:05:09 13:07:27&lt;br /&gt;
MetadataDate: 2026:05:09T13:07:27+03:00&lt;br /&gt;
CreatorTool: GIMP 2.10&lt;br /&gt;
ProfileDescription: GIMP built-in sRGB&lt;br /&gt;
ProfileCopyright: Public Domain&lt;br /&gt;
Platform: Linux&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
No GPS metadata was observed in the contact PNG.&lt;br /&gt;
&lt;br /&gt;
SHA-256 hashes of mirrored image assets:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
fec1e3af9cc3ffd579f3f67d37933241f36bed186e4ac32efac7f1fdeae3dca8  /root/recon-430ch/wget/430.ch/m/1.webp&lt;br /&gt;
f86238f5266c54361c9ef9741b66153442d94b77e6f6550d567bba4e5b6d5668  /root/recon-430ch/wget/430.ch/m/2.webp&lt;br /&gt;
47f96eac0bb93acc04e4fb2303c64a61a3f1b15a9995b325ff7146a12333e67f  /root/recon-430ch/wget/430.ch/m/3.webp&lt;br /&gt;
369846fc54104174c392f27f80dfe08bd626a18cca5dbf31ef72cb24364389e5  /root/recon-430ch/wget/430.ch/m/4.webp&lt;br /&gt;
084b3cb17df8c773e2317668715d14f3211f4fca24ba292f026194c8a01d6a12  /root/recon-430ch/wget/430.ch/m/5.webp&lt;br /&gt;
e140aadd64a2e73707536524356d44691aaf6a0713de0f22a1c91543e25e947e  /root/recon-430ch/wget/430.ch/m/6.webp&lt;br /&gt;
93d431b374d4882a569931def5ba5937aedc1686f49f281253ad9297eb8f209d  /root/recon-430ch/wget/430.ch/contact-us/1.png&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Web Archive and Public Indexing ==&lt;br /&gt;
&lt;br /&gt;
Wayback CDX lookup:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
https://web.archive.org/cdx?url=430.ch/*&amp;amp;output=json&amp;amp;fl=timestamp,original,statuscode,mimetype,digest&amp;amp;collapse=urlkey&amp;amp;filter=statuscode:200&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Returned historical entries including:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
20191223004332  http://430.ch/                                      200 text/html&lt;br /&gt;
20160729094455  http://430.ch/robots.txt                            200 text/plain&lt;br /&gt;
20231028224700  https://430.ch/.well-known/ai-plugin.json           200 text/html&lt;br /&gt;
20231028195934  https://430.ch/.well-known/dnt-policy.txt           200 text/html&lt;br /&gt;
20231028201009  https://430.ch/.well-known/gpc.json                 200 text/html&lt;br /&gt;
20231029001948  https://430.ch/.well-known/nodeinfo                 200 text/html&lt;br /&gt;
20231028193612  https://430.ch/.well-known/openid-configuration     200 text/html&lt;br /&gt;
20231028203348  https://430.ch/.well-known/security.txt             200 text/html&lt;br /&gt;
20231028223110  https://430.ch/.well-known/trust.txt                200 text/html&lt;br /&gt;
20231028194249  https://430.ch/ads.txt                              200 text/html&lt;br /&gt;
20231028205649  https://430.ch/app-ads.txt                          200 text/html&lt;br /&gt;
20231029024555  https://430.ch/info/                                200 text/html&lt;br /&gt;
20231028200842  https://430.ch/parking.php4                         200 text/html&lt;br /&gt;
20231028231335  https://430.ch/search/                              200 text/html&lt;br /&gt;
20231028204408  https://430.ch/sitemap.xml                          200 text/html&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Interpretation:&lt;br /&gt;
&lt;br /&gt;
* Many 2023 entries look like parked/placeholder behavior rather than current content.&lt;br /&gt;
* Current live checks for those paths returned &amp;lt;code&amp;gt;404&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
URLScan:&lt;br /&gt;
&lt;br /&gt;
* Querying &amp;lt;code&amp;gt;domain:430.ch&amp;lt;/code&amp;gt; returned results for &amp;lt;code&amp;gt;noctron.ch&amp;lt;/code&amp;gt;, not direct &amp;lt;code&amp;gt;430.ch&amp;lt;/code&amp;gt; scans.&lt;br /&gt;
* Querying &amp;lt;code&amp;gt;page.domain:&amp;amp;quot;430.ch&amp;amp;quot;&amp;lt;/code&amp;gt; returned no results.&lt;br /&gt;
&lt;br /&gt;
== Security Observations and Recommendations ==&lt;br /&gt;
&lt;br /&gt;
=== High Priority ===&lt;br /&gt;
&lt;br /&gt;
==== Close or restrict &amp;lt;code&amp;gt;5355/tcp&amp;lt;/code&amp;gt; on &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;5355/tcp&amp;lt;/code&amp;gt; is open on &amp;lt;code&amp;gt;83.228.241.25&amp;lt;/code&amp;gt; and &amp;lt;code&amp;gt;2001:1600:18:102::26f&amp;lt;/code&amp;gt;.&lt;br /&gt;
* Nmap labels it &amp;lt;code&amp;gt;llmnr&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
Why it matters:&lt;br /&gt;
&lt;br /&gt;
* LLMNR is generally local-network-only functionality and should not be Internet-facing.&lt;br /&gt;
* If this is not LLMNR, an undocumented public service is still exposed.&lt;br /&gt;
&lt;br /&gt;
Recommended action:&lt;br /&gt;
&lt;br /&gt;
* Identify the listening process.&lt;br /&gt;
* If unintended, stop it and firewall &amp;lt;code&amp;gt;5355/tcp&amp;lt;/code&amp;gt; and likely &amp;lt;code&amp;gt;5355/udp&amp;lt;/code&amp;gt;.&lt;br /&gt;
* If intended, restrict source IPs and document it.&lt;br /&gt;
&lt;br /&gt;
Example local triage commands on the server:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
ss -ltnup | grep &#039;:5355&#039;&lt;br /&gt;
systemctl status systemd-resolved&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==== Restrict IPv6 &amp;lt;code&amp;gt;8080/tcp&amp;lt;/code&amp;gt; on &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;8080/tcp&amp;lt;/code&amp;gt; is open on IPv6 but filtered on IPv4.&lt;br /&gt;
* It exposes Apache/PHP/MediaWiki directly.&lt;br /&gt;
&lt;br /&gt;
Why it matters:&lt;br /&gt;
&lt;br /&gt;
* If Caddy is intended as the public reverse proxy, direct backend access can bypass proxy-layer controls, logging assumptions, rate limits, or header normalization.&lt;br /&gt;
* IPv6 firewall parity often gets missed.&lt;br /&gt;
&lt;br /&gt;
Recommended action:&lt;br /&gt;
&lt;br /&gt;
* Bind Apache backend only to loopback if it is only used by Caddy.&lt;br /&gt;
* Otherwise firewall &amp;lt;code&amp;gt;8080/tcp&amp;lt;/code&amp;gt; consistently on IPv4 and IPv6.&lt;br /&gt;
&lt;br /&gt;
Example local triage:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
ss -ltnp | grep &#039;:8080&#039;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==== Confirm &amp;lt;code&amp;gt;6567/tcp&amp;lt;/code&amp;gt; and &amp;lt;code&amp;gt;6567/udp&amp;lt;/code&amp;gt; ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;6567/tcp&amp;lt;/code&amp;gt; is open on &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt;.&lt;br /&gt;
* &amp;lt;code&amp;gt;6567/udp&amp;lt;/code&amp;gt; is &amp;lt;code&amp;gt;open|filtered&amp;lt;/code&amp;gt;.&lt;br /&gt;
* Port 6567 is commonly used by Mindustry.&lt;br /&gt;
&lt;br /&gt;
Recommended action:&lt;br /&gt;
&lt;br /&gt;
* Confirm whether this is intentional.&lt;br /&gt;
* If it is a game server, consider whether it should be public and whether it needs rate limits or firewall restrictions.&lt;br /&gt;
* If unused, close it.&lt;br /&gt;
&lt;br /&gt;
=== Medium Priority ===&lt;br /&gt;
&lt;br /&gt;
==== Add HSTS ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* HTTPS works well, but HSTS is not configured.&lt;br /&gt;
&lt;br /&gt;
Recommended Caddy-style header:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Strict-Transport-Security &amp;quot;max-age=31536000; includeSubDomains; preload&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Use a shorter &amp;lt;code&amp;gt;max-age&amp;lt;/code&amp;gt; first if you want a low-risk rollout:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Strict-Transport-Security &amp;quot;max-age=86400&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==== Tighten apex CORS ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;430.ch&amp;lt;/code&amp;gt; reflects arbitrary origins and allows credentials.&lt;br /&gt;
&lt;br /&gt;
Recommended action:&lt;br /&gt;
&lt;br /&gt;
* If static files do not need credentialed cross-origin access, remove credentialed CORS headers.&lt;br /&gt;
* If cross-origin reads are required, allowlist specific origins and avoid &amp;lt;code&amp;gt;Access-Control-Allow-Credentials: true&amp;lt;/code&amp;gt; unless needed.&lt;br /&gt;
&lt;br /&gt;
==== Review MediaWiki public exposure on &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* Public API exposes version, PHP version, DB version, extension version, skins, users, groups, rights changes, and logs.&lt;br /&gt;
* UI appears to advertise account creation and probable editability.&lt;br /&gt;
&lt;br /&gt;
Recommended action:&lt;br /&gt;
&lt;br /&gt;
* Decide whether &amp;lt;code&amp;gt;ov.430.ch&amp;lt;/code&amp;gt; is intentionally public.&lt;br /&gt;
* If public, keep MediaWiki and extensions patched.&lt;br /&gt;
* If private, restrict anonymous read, API, account creation, and editing.&lt;br /&gt;
* Consider hiding detailed version headers where practical, recognizing that version hiding is defense-in-depth and not a substitute for patching.&lt;br /&gt;
&lt;br /&gt;
Potential MediaWiki settings to review:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
$wgGroupPermissions[&#039;*&#039;][&#039;read&#039;]&lt;br /&gt;
$wgGroupPermissions[&#039;*&#039;][&#039;edit&#039;]&lt;br /&gt;
$wgGroupPermissions[&#039;*&#039;][&#039;createaccount&#039;]&lt;br /&gt;
$wgGroupPermissions[&#039;*&#039;][&#039;writeapi&#039;]&lt;br /&gt;
$wgShowExceptionDetails&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==== Add CAA records ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* No apex CAA record observed.&lt;br /&gt;
&lt;br /&gt;
Recommended action:&lt;br /&gt;
&lt;br /&gt;
If only Let&#039;s Encrypt and ZeroSSL should issue:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
430.ch. CAA 0 issue &amp;quot;letsencrypt.org&amp;quot;&lt;br /&gt;
430.ch. CAA 0 issue &amp;quot;sectigo.com&amp;quot;&lt;br /&gt;
430.ch. CAA 0 issuewild &amp;quot;;&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Tune this based on actual CA usage. ZeroSSL chains to Sectigo in the observed certificate.&lt;br /&gt;
&lt;br /&gt;
==== Add MTA-STS and TLS-RPT ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* No MTA-STS or TLS-RPT records observed.&lt;br /&gt;
&lt;br /&gt;
Recommended action:&lt;br /&gt;
&lt;br /&gt;
Publish:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
_mta-sts.430.ch TXT &amp;quot;v=STSv1; id=YYYYMMDD01&amp;quot;&lt;br /&gt;
_smtp._tls.430.ch TXT &amp;quot;v=TLSRPTv1; rua=mailto:tlsrpt@430.ch&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Serve an HTTPS policy at:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
https://mta-sts.430.ch/.well-known/mta-sts.txt&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Example policy:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
version: STSv1&lt;br /&gt;
mode: testing&lt;br /&gt;
mx: aspmx1.migadu.com&lt;br /&gt;
mx: aspmx2.migadu.com&lt;br /&gt;
max_age: 86400&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Move from &amp;lt;code&amp;gt;testing&amp;lt;/code&amp;gt; to &amp;lt;code&amp;gt;enforce&amp;lt;/code&amp;gt; after confirming reports are clean.&lt;br /&gt;
&lt;br /&gt;
=== Low Priority / Hygiene ===&lt;br /&gt;
&lt;br /&gt;
==== Fix missing &amp;lt;code&amp;gt;style.css&amp;lt;/code&amp;gt; ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* Several pages reference &amp;lt;code&amp;gt;https://430.ch/style.css&amp;lt;/code&amp;gt;, but it returns &amp;lt;code&amp;gt;404&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
Recommended action:&lt;br /&gt;
&lt;br /&gt;
* Add the stylesheet or remove the references.&lt;br /&gt;
&lt;br /&gt;
==== Add &amp;lt;code&amp;gt;security.txt&amp;lt;/code&amp;gt; ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;/.well-known/security.txt&amp;lt;/code&amp;gt; returns &amp;lt;code&amp;gt;404&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
Recommended action:&lt;br /&gt;
&lt;br /&gt;
Add a minimal file if you want a clear channel for reports:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Contact: mailto:meighl@430.ch&lt;br /&gt;
Preferred-Languages: en&lt;br /&gt;
Canonical: https://430.ch/.well-known/security.txt&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==== Consider whether &amp;lt;code&amp;gt;/m/&amp;lt;/code&amp;gt; should be a directory listing ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;/m/&amp;lt;/code&amp;gt; exposes a Caddy directory listing.&lt;br /&gt;
&lt;br /&gt;
Recommended action:&lt;br /&gt;
&lt;br /&gt;
* If intentional, no change needed.&lt;br /&gt;
* If not, disable browse/listing and link only specific images.&lt;br /&gt;
&lt;br /&gt;
==== Remove unnecessary metadata from contact PNG ====&lt;br /&gt;
&lt;br /&gt;
Finding:&lt;br /&gt;
&lt;br /&gt;
* Contact PNG retains GIMP/XMP metadata.&lt;br /&gt;
&lt;br /&gt;
Risk:&lt;br /&gt;
&lt;br /&gt;
* Low. No GPS or sensitive camera metadata was found.&lt;br /&gt;
&lt;br /&gt;
Recommended action:&lt;br /&gt;
&lt;br /&gt;
* Strip metadata from public images as a standard publishing step.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
exiftool -all= image.png&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Artifact Inventory ==&lt;br /&gt;
&lt;br /&gt;
Top-level files in &amp;lt;code&amp;gt;/root/recon-430ch&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
nmap-http-scripts.txt        3378 bytes&lt;br /&gt;
nmap-ipv4-full.txt           796 bytes&lt;br /&gt;
nmap-ipv4-top.txt            1653 bytes&lt;br /&gt;
nmap-ipv6-full.txt           774 bytes&lt;br /&gt;
nmap-ipv6-top.txt            1670 bytes&lt;br /&gt;
nmap-ov-5355-ipv6.txt        0 bytes&lt;br /&gt;
nmap-ov-5355.txt             0 bytes&lt;br /&gt;
nmap-ov-ipv6-specific.txt    1040 bytes&lt;br /&gt;
nmap-ov-specific.txt         2900 bytes&lt;br /&gt;
nmap-ssl-enum.txt            3547 bytes&lt;br /&gt;
nmap-udp-5355-ipv6.txt       709 bytes&lt;br /&gt;
nmap-udp-5355.txt            669 bytes&lt;br /&gt;
nmap-udp-game-ipv6.txt       873 bytes&lt;br /&gt;
nmap-udp-game.txt            833 bytes&lt;br /&gt;
robots.txt                   23 bytes&lt;br /&gt;
root-http.html               0 bytes&lt;br /&gt;
root-https.html              1201 bytes&lt;br /&gt;
security.txt                 0 bytes&lt;br /&gt;
sitemap.xml                  0 bytes&lt;br /&gt;
wget/                        mirrored site&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Directory size:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
/root/recon-430ch: 1.6M&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Commands Used ==&lt;br /&gt;
&lt;br /&gt;
Representative command list:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
apt-get update&lt;br /&gt;
apt-get install -y dnsutils whois nmap traceroute jq netcat-openbsd ca-certificates&lt;br /&gt;
apt-get install -y libimage-exiftool-perl&lt;br /&gt;
&lt;br /&gt;
dig 430.ch ANY&lt;br /&gt;
dig 430.ch A 430.ch AAAA 430.ch NS 430.ch SOA 430.ch MX 430.ch TXT 430.ch CAA +noall +answer&lt;br /&gt;
dig +short -x 83.228.241.21&lt;br /&gt;
whois 430.ch&lt;br /&gt;
whois 83.228.241.21&lt;br /&gt;
dig AXFR 430.ch @ns11.infomaniak.ch&lt;br /&gt;
dig AXFR 430.ch @ns12.infomaniak.ch&lt;br /&gt;
dig 430.ch DNSKEY 430.ch DS +noall +answer&lt;br /&gt;
&lt;br /&gt;
curl -sS -D - -o /root/recon-430ch/root-http.html http://430.ch/&lt;br /&gt;
curl -sS -D - -o /root/recon-430ch/root-https.html https://430.ch/&lt;br /&gt;
curl -sS -D - -o /root/recon-430ch/robots.txt https://430.ch/robots.txt&lt;br /&gt;
curl -sS -D - -o /root/recon-430ch/sitemap.xml https://430.ch/sitemap.xml&lt;br /&gt;
curl -sS -D - -o /root/recon-430ch/security.txt https://430.ch/.well-known/security.txt&lt;br /&gt;
openssl s_client -connect 430.ch:443 -servername 430.ch -showcerts &amp;lt;/dev/null&lt;br /&gt;
&lt;br /&gt;
wget -r -l inf -np -E -k -p --restrict-file-names=windows -D 430.ch --no-verbose --directory-prefix=/root/recon-430ch/wget https://430.ch/&lt;br /&gt;
wget -r -l inf -np -E -k -p --restrict-file-names=windows -D 430.ch --no-verbose --directory-prefix=/root/recon-430ch/wget https://430.ch/f/&lt;br /&gt;
wget -r -l inf -np -E -k -p --restrict-file-names=windows -D 430.ch --no-verbose --directory-prefix=/root/recon-430ch/wget https://430.ch/yagpab/&lt;br /&gt;
&lt;br /&gt;
curl -sS &#039;https://crt.sh/?q=%25.430.ch&amp;amp;output=json&#039;&lt;br /&gt;
curl -sS &#039;https://rdap.nic.ch/domain/430.ch&#039;&lt;br /&gt;
curl -sS &#039;https://urlscan.io/api/v1/search/?q=domain:430.ch&#039;&lt;br /&gt;
curl -sS -L &#039;https://web.archive.org/cdx?url=430.ch/*&amp;amp;output=json&amp;amp;fl=timestamp,original,statuscode,mimetype,digest&amp;amp;collapse=urlkey&amp;amp;filter=statuscode:200&#039;&lt;br /&gt;
&lt;br /&gt;
nmap -Pn -sS -sV --version-light -T3 --top-ports 1000 83.228.241.21 83.228.241.25 -oN /root/recon-430ch/nmap-ipv4-top.txt&lt;br /&gt;
nmap -Pn -6 -sT -sV --version-light -T3 --top-ports 1000 2001:1600:18:102::167 2001:1600:18:102::26f -oN /root/recon-430ch/nmap-ipv6-top.txt&lt;br /&gt;
nmap -Pn -sS -T3 -p- --max-retries 2 83.228.241.21 83.228.241.25 -oN /root/recon-430ch/nmap-ipv4-full.txt&lt;br /&gt;
nmap -Pn -6 -sT -T3 -p- --max-retries 2 2001:1600:18:102::167 2001:1600:18:102::26f -oN /root/recon-430ch/nmap-ipv6-full.txt&lt;br /&gt;
nmap -Pn -p443 --script ssl-enum-ciphers 430.ch ov.430.ch wiki.430.ch staging.430.ch -oN /root/recon-430ch/nmap-ssl-enum.txt&lt;br /&gt;
nmap -Pn -p80,443 --script http-title,http-server-header,http-security-headers 430.ch ov.430.ch wiki.430.ch staging.430.ch -oN /root/recon-430ch/nmap-http-scripts.txt&lt;br /&gt;
nmap -Pn -sU -sV --version-light -p6567,27015,27016 83.228.241.25 83.228.241.21 -oN /root/recon-430ch/nmap-udp-game.txt&lt;br /&gt;
nmap -Pn -6 -sU -sV --version-light -p6567,27015,27016 2001:1600:18:102::26f 2001:1600:18:102::167 -oN /root/recon-430ch/nmap-udp-game-ipv6.txt&lt;br /&gt;
nmap -Pn -sU -sV --version-light -p5355 83.228.241.25 83.228.241.21 -oN /root/recon-430ch/nmap-udp-5355.txt&lt;br /&gt;
nmap -Pn -6 -sU -sV --version-light -p5355 2001:1600:18:102::26f 2001:1600:18:102::167 -oN /root/recon-430ch/nmap-udp-5355-ipv6.txt&lt;br /&gt;
&lt;br /&gt;
curl -sS &#039;https://ov.430.ch/api.php?action=query&amp;amp;meta=siteinfo&amp;amp;siprop=general%7Cnamespaces%7Cstatistics%7Cextensions%7Cskins&amp;amp;format=json&#039;&lt;br /&gt;
curl -sS &#039;https://ov.430.ch/api.php?action=query&amp;amp;list=allusers&amp;amp;auprop=groups%7Ceditcount%7Cregistration&amp;amp;format=json&#039;&lt;br /&gt;
curl -sS &#039;https://ov.430.ch/api.php?action=query&amp;amp;list=recentchanges&amp;amp;rcprop=title%7Cids%7Ctimestamp%7Cuser%7Ccomment%7Cflags&amp;amp;rclimit=20&amp;amp;format=json&#039;&lt;br /&gt;
curl -sS &#039;https://ov.430.ch/api.php?action=query&amp;amp;list=logevents&amp;amp;leprop=title%7Ctimestamp%7Cuser%7Ccomment%7Ctype%7Cdetails&amp;amp;lelimit=20&amp;amp;format=json&#039;&lt;br /&gt;
curl -sS &#039;https://wiki.430.ch/api.php?action=query&amp;amp;meta=siteinfo&amp;amp;siprop=general%7Cnamespaces%7Cstatistics%7Cextensions%7Cskins&amp;amp;format=json&#039;&lt;br /&gt;
&lt;br /&gt;
exiftool -a -G1 -s /root/recon-430ch/wget/430.ch/m/*.webp /root/recon-430ch/wget/430.ch/contact-us/1.png&lt;br /&gt;
sha256sum /root/recon-430ch/wget/430.ch/m/*.webp /root/recon-430ch/wget/430.ch/contact-us/1.png&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Appendix: Raw Nmap Full TCP Output ==&lt;br /&gt;
&lt;br /&gt;
=== IPv4 ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
# Nmap 7.95 scan initiated Thu Jul  9 17:42:08 2026 as: nmap -Pn -sS -T3 -p- --max-retries 2 -oN /root/recon-430ch/nmap-ipv4-full.txt 83.228.241.21 83.228.241.25&lt;br /&gt;
Nmap scan report for 430.ch (83.228.241.21)&lt;br /&gt;
Host is up (0.064s latency).&lt;br /&gt;
Not shown: 65532 filtered tcp ports (no-response)&lt;br /&gt;
PORT    STATE SERVICE&lt;br /&gt;
22/tcp  open  ssh&lt;br /&gt;
80/tcp  open  http&lt;br /&gt;
443/tcp open  https&lt;br /&gt;
MAC Address: FA:16:3E:46:4B:58 (Unknown)&lt;br /&gt;
&lt;br /&gt;
Nmap scan report for ov.430.ch (83.228.241.25)&lt;br /&gt;
Host is up (0.0000090s latency).&lt;br /&gt;
Not shown: 65529 closed tcp ports (reset)&lt;br /&gt;
PORT     STATE    SERVICE&lt;br /&gt;
22/tcp   open     ssh&lt;br /&gt;
80/tcp   open     http&lt;br /&gt;
443/tcp  open     https&lt;br /&gt;
5355/tcp open     llmnr&lt;br /&gt;
6567/tcp open     esp&lt;br /&gt;
8080/tcp filtered http-proxy&lt;br /&gt;
&lt;br /&gt;
# Nmap done at Thu Jul  9 17:49:20 2026 -- 2 IP addresses (2 hosts up) scanned in 431.22 seconds&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== IPv6 ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
# Nmap 7.95 scan initiated Thu Jul  9 17:42:08 2026 as: nmap -Pn -6 -sT -T3 -p- --max-retries 2 -oN /root/recon-430ch/nmap-ipv6-full.txt 2001:1600:18:102::167 2001:1600:18:102::26f&lt;br /&gt;
Nmap scan report for 430.ch (2001:1600:18:102::167)&lt;br /&gt;
Host is up (0.019s latency).&lt;br /&gt;
Not shown: 65532 filtered tcp ports (no-response)&lt;br /&gt;
PORT    STATE SERVICE&lt;br /&gt;
22/tcp  open  ssh&lt;br /&gt;
80/tcp  open  http&lt;br /&gt;
443/tcp open  https&lt;br /&gt;
&lt;br /&gt;
Nmap scan report for ov.430.ch (2001:1600:18:102::26f)&lt;br /&gt;
Host is up (0.00014s latency).&lt;br /&gt;
Not shown: 65529 closed tcp ports (conn-refused)&lt;br /&gt;
PORT     STATE SERVICE&lt;br /&gt;
22/tcp   open  ssh&lt;br /&gt;
80/tcp   open  http&lt;br /&gt;
443/tcp  open  https&lt;br /&gt;
5355/tcp open  llmnr&lt;br /&gt;
6567/tcp open  esp&lt;br /&gt;
8080/tcp open  http-proxy&lt;br /&gt;
&lt;br /&gt;
# Nmap done at Thu Jul  9 17:49:57 2026 -- 2 IP addresses (2 hosts up) scanned in 468.20 seconds&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;/div&gt;</summary>
		<author><name>Codex</name></author>
	</entry>
</feed>