430.ch Reconnaissance Report

From Marcopedia
Jump to navigation Jump to search


430.ch Reconnaissance Report

[edit]

Report date: 2026-07-09 UTC

Target: 430.ch

Requester: site owner

Operator: Codex in /root

Primary artifact directory: /root/recon-430ch

Scope and Approach

[edit]

This was a non-intrusive public reconnaissance pass. The work intentionally stayed within:

  • DNS, WHOIS, RDAP, certificate transparency, and public web/archive lookups.
  • Normal HTTP(S) requests to publicly reachable pages.
  • A same-domain recursive wget mirror of linked and explicitly known public paths.
  • Nmap service discovery and full TCP port scans against resolved target hosts.
  • Local metadata inspection of files downloaded from the public site.

This did not include:

  • Authentication attempts.
  • Password guessing.
  • Exploit scripts or vulnerability exploitation.
  • Web fuzzing, directory brute force, or high-rate scanning.
  • Attempts to bypass MediaWiki access controls.
  • Writes to the site or MediaWiki API.

Tools installed for the recon:

  • dnsutils
  • whois
  • nmap
  • traceroute
  • jq
  • netcat-openbsd
  • libimage-exiftool-perl

Tools already present and used:

  • curl
  • wget
  • openssl
  • host
  • python3

Executive Summary

[edit]

430.ch is hosted on Infomaniak infrastructure and uses Infomaniak for registrar/DNS. The apex site is a small Caddy-served static site with a public image directory under /m/ and a public contact page. Mail is delegated to Migadu.

The currently live externally visible surface consists of:

  • Apex/static host: 430.ch, staging.430.ch, and wiki.430.ch on 83.228.241.21 / 2001:1600:18:102::167.
  • Separate ov.430.ch host on 83.228.241.25 / 2001:1600:18:102::26f.
  • HTTPS on all live hostnames, backed by Caddy.
  • ov.430.ch and wiki.430.ch are MediaWiki installations behind Caddy and Apache.
  • SSH exposed on both discovered hosts.
  • ov.430.ch exposes additional ports: 5355/tcp, 6567/tcp, and 8080/tcp on IPv6.

Most notable owner-action items:

  1. 5355/tcp is open on ov.430.ch. This is unusual on the public Internet because port 5355 is normally associated with LLMNR. Close or restrict it unless there is a deliberate use.
  2. 8080/tcp is open on IPv6 for ov.430.ch and exposes Apache/MediaWiki directly. It is filtered on IPv4. If this is meant to be only a backend listener behind Caddy, bind it to loopback or firewall it on IPv6.
  3. 6567/tcp is open on ov.430.ch, and 6567/udp is open|filtered. This matches the common Mindustry game-server port. Confirm whether it is intentional.
  4. HSTS is not configured on the HTTPS services.
  5. The apex CORS policy is broad: it reflects arbitrary Origin and sets Access-Control-Allow-Credentials: true. The current root site is static, so impact is limited, but the policy is unnecessarily permissive if not intentional.
  6. Mail DNS is mostly reasonable but could be improved with CAA, MTA-STS, and TLS-RPT.
  7. ov.430.ch exposes public MediaWiki site information, users, rights changes, versions, and extension metadata. That may be acceptable for a public wiki, but it is worth reviewing.

Public Registration and Hosting

[edit]

Domain

[edit]

WHOIS/RDAP showed:

  • Domain: 430.ch
  • Registrar: Infomaniak Network SA
  • Registrar address in RDAP/WHOIS: Rue Eugene-Marziano 25, CH-1227 Les Acacias, Switzerland
  • First registration date: 2006-08-23
  • Status: active
  • DNSSEC: enabled / delegated signed
  • Nameservers:
    • ns11.infomaniak.ch / 93.88.255.151
    • ns12.infomaniak.ch / 93.88.255.152

RDAP source used:

IP Allocation

[edit]

WHOIS for 83.228.241.21 showed:

  • Range: 83.228.240.0 - 83.228.247.255
  • Netname: INFOMANIAK-CLOUD
  • Country: CH
  • Organization role: Infomaniak Network SA
  • Abuse contact: abuse@infomaniak.ch
  • Route: 83.228.241.0/24
  • Origin AS: AS29222

RIPEstat aligned the queried IPv4 to:

  • Announced prefix: 83.228.192.0/18
  • ASN: AS29222
  • Holder: Infomaniak-AS Infomaniak Network SA

RIPEstat source used:

Reverse DNS:

  • 83.228.241.21 -> 430.ch.
  • Nmap/Shodan InternetDB additionally associated:
    • 83.228.241.21 with ov-7fb696.infomaniak.ch
    • 83.228.241.25 with ov-9520b2.infomaniak.ch

DNS Findings

[edit]

Apex DNS

[edit]

Observed DNS records:

430.ch. A     83.228.241.21
430.ch. AAAA  2001:1600:18:102::167

430.ch. NS    ns11.infomaniak.ch.
430.ch. NS    ns12.infomaniak.ch.

430.ch. SOA   ns11.infomaniak.ch. hostmaster.infomaniak.ch. 2026070901 10800 3600 605800 3600

430.ch. MX 10 aspmx1.migadu.com.
430.ch. MX 20 aspmx2.migadu.com.

430.ch. TXT "v=spf1 include:spf.migadu.com -all"
430.ch. TXT "hosted-email-verify=rr8nx23r"

DNSSEC material observed:

430.ch. DNSKEY 257 3 13 jEm3bqIc72OUI4WxLeIbjruJjSEsc7+1+owlZ7nNA0TQQXM48U6QmFEC d5NBgwCpbw4CD/NO0Eb8CHYwjULKVg==
430.ch. DNSKEY 256 3 13 ytZkmQTTXPEwaXQAsxneIoPYayM4WAdxJ6rR2N411+PptsaPPyDSYSCw WzLI1lYAXdrPWBQ9yjgiBsskkPbBOQ==
430.ch. DS     7440 13 2 5A7F7CC05DE155C279B8F23093633694415BAABACA92F4B93D7C514C DB9F10B4
[edit]

Observed:

_dmarc.430.ch TXT "v=DMARC1; p=quarantine;"
autoconfig.430.ch CNAME autoconfig.migadu.com.
autoconfig.migadu.com A    141.94.97.141
autoconfig.migadu.com AAAA 2001:41d0:403:488d::

Not found:

  • _mta-sts.430.ch TXT
  • _smtp._tls.430.ch TXT
  • mta-sts.430.ch
  • mail.430.ch
  • smtp.430.ch
  • imap.430.ch
  • autodiscover.430.ch
  • CAA at the apex

Interpretation:

  • SPF is strict because of -all.
  • DMARC is present but not at the strictest enforcement level (quarantine, not reject).
  • MTA-STS and TLS-RPT are not configured.
  • No CAA means any publicly trusted CA can issue for the domain, subject to normal CA validation.

Zone Transfer

[edit]

AXFR was attempted against both authoritative nameservers:

dig AXFR 430.ch @ns11.infomaniak.ch
dig AXFR 430.ch @ns12.infomaniak.ch

Result:

Transfer failed.

This is the desired behavior.

Certificate Transparency and Subdomains

[edit]

Certificate transparency lookup through crt.sh exposed these names:

Current or recent:

  • 430.ch
  • staging.430.ch
  • ov.430.ch
  • wiki.430.ch

Historical or not currently resolving during testing:

  • www.430.ch
  • csgo.430.ch
  • 2ca.430.ch
  • Historical wildcard certificate entries for *.430.ch

Observed CT entries of interest:

staging.430.ch
  Issuer: Let's Encrypt YE2
  not_before: 2026-07-09T15:11:48
  not_after:  2026-10-07T15:11:47

ov.430.ch
  Issuer: Let's Encrypt YE1
  not_before: 2026-07-03T20:43:41
  not_after:  2026-10-01T20:43:40

wiki.430.ch
  Issuer: Let's Encrypt YE1
  not_before: 2026-07-03T14:41:56
  not_after:  2026-10-01T14:41:55

430.ch
  Issuer: ZeroSSL ECC DV SSL CA 2
  not_before: 2026-06-19T00:00:00
  not_after:  2026-09-17T23:59:59

Current DNS resolution during testing:

430.ch
  A:    83.228.241.21
  AAAA: 2001:1600:18:102::167

staging.430.ch
  CNAME-style answer via 430.ch
  A:    83.228.241.21
  AAAA: 2001:1600:18:102::167

wiki.430.ch
  CNAME-style answer via 430.ch
  A:    83.228.241.21
  AAAA: 2001:1600:18:102::167

ov.430.ch
  A:    83.228.241.25
  AAAA: 2001:1600:18:102::26f

www.430.ch
  No resolution during testing

csgo.430.ch
  No resolution during testing

2ca.430.ch
  No resolution during testing

Source used:

HTTP and HTTPS Findings

[edit]

Apex HTTP

[edit]

http://430.ch/:

HTTP/1.1 308 Permanent Redirect
Location: https://430.ch/
Server: Caddy
Content-Length: 0

Apex HTTPS

[edit]

https://430.ch/:

HTTP/2 200
accept-ranges: bytes
access-control-allow-credentials: true
access-control-allow-origin:
access-control-expose-headers: *
alt-svc: h3=":443"; ma=2592000
content-type: text/html; charset=utf-8
etag: "thv7n5xd"
last-modified: Wed, 08 Jul 2026 16:40:17 GMT
server: Caddy
vary: Origin
content-length: 1201

With an explicit origin header:

curl -H 'Origin: https://example.com' https://430.ch/

access-control-allow-credentials: true
access-control-allow-origin: https://example.com
access-control-expose-headers: *
vary: Origin

Interpretation:

  • The server reflects arbitrary origins and allows credentials.
  • Current content is static, so the practical risk is limited today.
  • This is still broader than necessary unless cross-origin credentialed reads are deliberately needed.

Root Page Content

[edit]

The root HTML:

  • Has title 430.ch.
  • Uses inline CSS.
  • Displays an image with id bopis.
  • The image source is selected by JavaScript from /m/1.webp through /m/6.webp.
  • Changes the image every 10 seconds.
  • Links:

Relevant source excerpt:

<a href="/m/"> <img id="bopis"> </a>

<p>
    <s>©</s> 430.ch | <a href="/contact-us/">Contact Us</a> | See also: <a href="https://noctron.ch/">noctron.ch</a>, <a href="https://aivaras.xyz/">aivaras.xyz</a>
</p>

<script type="text/javascript">
    var photos = ["1.webp", "2.webp", "3.webp", "4.webp", "5.webp", "6.webp"];
    ...
    document.getElementById("bopis").src = "/m/" + photos[i];
</script>

Robots, Sitemap, and Well-Known Files

[edit]

https://430.ch/robots.txt:

User-agent: *
Allow: /

Not present:

Current live checks returning 404:

  • /.well-known/ai-plugin.json
  • /.well-known/dnt-policy.txt
  • /.well-known/gpc.json
  • /.well-known/nodeinfo
  • /.well-known/openid-configuration
  • /ads.txt
  • /app-ads.txt
  • /info/
  • /search/

Missing Stylesheet

[edit]

Several pages reference:

https://430.ch/style.css

Current result:

HTTP/2 404
server: Caddy
content-length: 0

Impact:

  • Cosmetic / hygiene issue.
  • It may produce avoidable browser console noise.

/m/ Directory

[edit]

https://430.ch/m/ is a public Caddy directory listing.

Files discovered:

1.webp  218 KiB
2.webp  119 KiB
3.webp  112 KiB
4.webp  349 KiB
5.webp  173 KiB
6.webp  290 KiB

The directory index includes sortable Caddy listing links:

?sort=namedirfirst&order=desc
?sort=name&order=asc
?sort=size&order=asc
?sort=time&order=asc
?sort=namedirfirst&order=asc
?sort=name&order=desc
?sort=size&order=desc
?sort=time&order=desc

The mirrored copies are stored in:

/root/recon-430ch/wget/430.ch/m/

/contact-us/

[edit]

https://430.ch/contact-us/ is a small static page.

HTML:

<!DOCTYPE html>
<html> <head>
    <title>Contact Us</title>
    <link rel="stylesheet" href="https://430.ch/style.css">
</head> <body>
    <center>
        <img src="1.png" alt="meighl at four hundred and thirty dot ch">
    </center>
</body> </html>

The image alt text exposes a likely contact address:

meighl@430.ch

This is already public in machine-readable HTML despite being visually represented by an image.

Linked External Domains

[edit]

The root page links noctron.ch and aivaras.xyz.

Both resolved to the same host as the apex:

noctron.ch
  A:    83.228.241.21
  AAAA: 2001:1600:18:102::167

aivaras.xyz
  A:    83.228.241.21
  AAAA: 2001:1600:18:102::167

https://noctron.ch/:

<title>noctron.ch</title>
<link rel="stylesheet" href="https://430.ch/style.css">
...
<a href="https://noctron.ch/">noctron.ch</a> → <a href="https://430.ch/">430.ch</a>

https://aivaras.xyz/:

<title>aivaras.xyz</title>
<link rel="stylesheet" href="https://430.ch/style.css">
...
<a href="https://aivaras.xyz/">aivaras.xyz</a> → <a href="https://430.ch/">430.ch</a>

Both also reference the missing https://430.ch/style.css.

Hostname-Specific Behavior

[edit]

staging.430.ch

[edit]

Resolution:

staging.430.ch -> 430.ch -> 83.228.241.21 / 2001:1600:18:102::167

HTTP:

HTTP/1.1 308 Permanent Redirect
Location: https://staging.430.ch/
Server: Caddy

HTTPS:

HTTP/2 200
server: Caddy
content-type: text/html; charset=utf-8
content-length: 61
last-modified: Thu, 09 Jul 2026 16:13:09 GMT

Body:

<meta http-equiv="refresh" content="0; url=https://430.ch/">

Interpretation:

  • This is live and public.
  • It is a simple redirect-by-meta-refresh rather than an HTTP redirect.

wiki.430.ch

[edit]

Resolution:

wiki.430.ch -> 430.ch -> 83.228.241.21 / 2001:1600:18:102::167

HTTP:

HTTP/1.1 308 Permanent Redirect
Location: https://wiki.430.ch/
Server: Caddy

HTTPS headers:

HTTP/2 200
server: Caddy
server: Apache/2.4.67 (Debian)
content-type: text/html; charset=UTF-8
cache-control: no-cache, no-store, max-age=0, must-revalidate
expires: Thu, 01 Jan 1970 00:00:00 GMT
x-content-type-options: nosniff
x-frame-options: DENY
x-powered-by: PHP/8.3.32

Page:

  • Title: Login required - Aivaropedia
  • Generator meta tag: MediaWiki 1.46.0
  • Site name: Aivaropedia
  • Anonymous page body: Please log in to view other pages.
  • Search UI is visible.
  • Login link is visible.
  • Atom feed link for Special:RecentChanges is advertised in HTML.

API read attempt:

{
  "error": {
    "code": "readapidenied",
    "info": "You need read permission to use this module.",
    "*": "See https://wiki.430.ch/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/> for notice of API deprecations and breaking changes."
  }
}

Interpretation:

  • Read access is denied via the API, which is consistent with a private wiki.
  • Some platform information is still exposed in HTML and headers:
    • MediaWiki 1.46.0
    • PHP 8.3.32
    • Apache 2.4.67 (Debian)
  • X-Frame-Options: DENY and X-Content-Type-Options: nosniff are present.
  • HSTS is not configured.

ov.430.ch

[edit]

Resolution:

ov.430.ch A    83.228.241.25
ov.430.ch AAAA 2001:1600:18:102::26f

HTTP:

HTTP/1.1 308 Permanent Redirect
Location: https://ov.430.ch/
Server: Caddy

HTTPS:

HTTP/2 301
location: https://ov.430.ch/index.php/Main_Page
server: Caddy
server: Apache/2.4.67 (Debian)
x-content-type-options: nosniff
x-powered-by: PHP/8.3.32

After redirect:

  • Page title: Marcopedia
  • Main page: Main Page
  • Generator meta tag: MediaWiki 1.46.0
  • Default content: MediaWiki has been installed.
  • The page is probably editable for anonymous users according to RLCONF:
    • wgIsProbablyEditable: true
    • wgRelevantPageIsProbablyEditable: true
    • wgRestrictionEdit: []
    • wgRestrictionMove: []
  • Personal tools include:
    • Create account
    • Log in
    • Anonymous talk/contributions links

Important note:

  • I did not try to edit, create an account, or write through the API.
  • The editability observation is based on public MediaWiki page configuration and UI, not a write attempt.

MediaWiki ov.430.ch API Findings

[edit]

Public siteinfo endpoint:

https://ov.430.ch/api.php?action=query&meta=siteinfo&siprop=general|namespaces|statistics|extensions|skins&format=json

General:

mainpage: Main Page
base: https://ov.430.ch/index.php/Main_Page
sitename: Marcopedia
generator: MediaWiki 1.46.0
phpversion: 8.3.32
phpsapi: apache2handler
dbtype: mysql
dbversion: 12.3.2-MariaDB-ubu2404
lang: en
timezone: UTC
articlepath: /index.php/$1
scriptpath:
script: /index.php
server: https://ov.430.ch
servername: ov.430.ch
wikiid: my_wiki
maxuploadsize: 104857600

Statistics:

pages: 1
articles: 0
edits: 1
images: 0
users: 2
activeusers: 1
admins: 2
jobs: 0

Skins:

MinervaNeue
MonoBook
Timeless 0.9.1
Vector 1.0.0
Vector legacy (2010) default

Extension:

MediaWikiChat
version: 2.25.0
author: Adam Carter/UltrasonicNXT
vcs-version: f19bf98d07cdeeaefcceab81dcdd407b039d4451
vcs-date: 2026-06-15T08:20:07Z

Public allusers query:

{
  "userid": 3,
  "name": "Aivaras",
  "editcount": 1,
  "registration": "2026-07-03T22:32:35Z",
  "groups": ["*", "user", "autoconfirmed", "bot", "bureaucrat", "interface-admin", "suppress", "sysop"]
}
{
  "userid": 2,
  "name": "Marco",
  "editcount": 0,
  "registration": "2026-07-03T21:39:57Z",
  "groups": ["*", "user", "autoconfirmed", "bureaucrat", "interface-admin", "sysop"]
}
{
  "userid": 1,
  "name": "MediaWiki default",
  "editcount": 0,
  "registration": "2026-07-03T21:39:57Z",
  "groups": ["*", "user", "autoconfirmed"]
}

Recent changes:

2026-07-04T10:35:06Z
  type: new
  title: Marco
  user: Aivaras
  comment: Created blank page

2026-07-03T22:35:07Z
  type: log
  title: User:Aivaras
  user: Marco

2026-07-03T22:34:31Z
  type: log
  title: User:Aivaras
  user: Marco

2026-07-03T22:34:11Z
  type: log
  title: User:Aivaras
  user: Marco

2026-07-03T22:32:35Z
  type: log
  title: User:Aivaras
  user: Aivaras

Log events:

2026-07-04T10:35:06Z
  create: Marco
  user: Aivaras
  comment: Created blank page

2026-07-03T22:35:07Z
  rights change for User:Aivaras
  user: Marco
  oldgroups: bureaucrat, sysop
  newgroups: bot, bureaucrat, interface-admin, suppress, sysop

2026-07-03T22:34:31Z
  rights change for User:Aivaras
  user: Marco
  oldgroups: sysop
  newgroups: bureaucrat, sysop

2026-07-03T22:34:11Z
  rights change for User:Aivaras
  user: Marco
  oldgroups: none
  newgroups: sysop

2026-07-03T22:32:35Z
  new user: Aivaras
  created by: Aivaras

2026-07-03T21:39:57Z
  create: Main Page
  user: MediaWiki default

Anonymous CSRF token request:

{"batchcomplete":"","query":{"tokens":{"csrftoken":"+\\"}}}

Interpretation:

  • This is the normal anonymous no-permission token and does not indicate successful write capability.
  • No write was attempted.

TLS Findings

[edit]

Certificates

[edit]

430.ch:

subject=CN=430.ch
issuer=C=AT, O=ZeroSSL GmbH, CN=ZeroSSL ECC DV SSL CA 2
notBefore=Jun 19 00:00:00 2026 GMT
notAfter=Sep 17 23:59:59 2026 GMT
SAN: DNS:430.ch

ov.430.ch:

subject=CN=ov.430.ch
issuer=C=US, O=Let's Encrypt, CN=YE1
notBefore=Jul  3 20:43:41 2026 GMT
notAfter=Oct  1 20:43:40 2026 GMT
SAN: DNS:ov.430.ch

wiki.430.ch:

subject=CN=wiki.430.ch
issuer=C=US, O=Let's Encrypt, CN=YE1
notBefore=Jul  3 14:41:56 2026 GMT
notAfter=Oct  1 14:41:55 2026 GMT
SAN: DNS:wiki.430.ch

staging.430.ch:

subject=CN=staging.430.ch
issuer=C=US, O=Let's Encrypt, CN=YE2
notBefore=Jul  9 15:11:48 2026 GMT
notAfter=Oct  7 15:11:47 2026 GMT
SAN: DNS:staging.430.ch

Protocols and Ciphers

[edit]

Nmap ssl-enum-ciphers found TLS 1.2 and TLS 1.3 across 430.ch, ov.430.ch, wiki.430.ch, and staging.430.ch.

TLS 1.2 ciphers:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - A
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - A
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - A

TLS 1.3 ciphers:

TLS_AKE_WITH_AES_128_GCM_SHA256 - A
TLS_AKE_WITH_AES_256_GCM_SHA384 - A
TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 - A

Nmap reported:

least strength: A

Manual openssl s_client checks verified successful TLS 1.2 and TLS 1.3 negotiation. TLS 1.0/1.1 forced checks did not negotiate TLS 1.0/1.1.

HSTS

[edit]

Nmap http-security-headers reported HSTS missing for:

  • 430.ch
  • ov.430.ch
  • wiki.430.ch
  • staging.430.ch

Example:

Strict_Transport_Security:
  HSTS not configured in HTTPS Server

Recommendation:

Add HSTS after confirming all subdomains intended to use HTTPS are ready:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Use includeSubDomains and preload only if you are comfortable committing all subdomains to HTTPS.

Network Service Findings

[edit]

Full TCP Scan Summary

[edit]

IPv4 full TCP scan command:

nmap -Pn -sS -T3 -p- --max-retries 2 83.228.241.21 83.228.241.25 -oN /root/recon-430ch/nmap-ipv4-full.txt

IPv6 full TCP scan command:

nmap -Pn -6 -sT -T3 -p- --max-retries 2 2001:1600:18:102::167 2001:1600:18:102::26f -oN /root/recon-430ch/nmap-ipv6-full.txt

83.228.241.21 / 2001:1600:18:102::167:

22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

IPv4 notes:

Not shown: 65532 filtered tcp ports (no-response)

IPv6 notes:

Not shown: 65532 filtered tcp ports (no-response)

83.228.241.25 / 2001:1600:18:102::26f:

IPv4:

22/tcp   open     ssh
80/tcp   open     http
443/tcp  open     https
5355/tcp open     llmnr
6567/tcp open     esp
8080/tcp filtered http-proxy

IPv6:

22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
5355/tcp open  llmnr
6567/tcp open  esp
8080/tcp open  http-proxy

Nmap labels for 5355, 6567, and 8080 should be interpreted carefully:

  • 5355 is conventionally LLMNR, but version probes did not complete with a more certain identification before being stopped.
  • 6567 was labeled esp? by nmap because the response fingerprint was not recognized. The port number and behavior align with a likely game service, especially Mindustry.
  • 8080 on IPv6 was confirmed by service detection as Apache HTTPD 2.4.67 (Debian).

Top-Port Version Scan

[edit]

Top-port version scan found:

430.ch host:

22/tcp  open  ssh        OpenSSH 10.0p2 Debian 7+deb13u4 (protocol 2.0)
80/tcp  open  http       Caddy httpd
443/tcp open  ssl/https?

ov.430.ch host:

22/tcp   open     ssh        OpenSSH 10.0p2 Debian 7+deb13u4 (protocol 2.0)
80/tcp   open     http       Caddy httpd
443/tcp  open     ssl/https?
6567/tcp open     esp?
8080/tcp filtered http-proxy   (IPv4)
8080/tcp open     http         Apache httpd 2.4.67 ((Debian))   (IPv6)

Port 8080 on ov.430.ch

[edit]

IPv6 direct request:

curl -g -D - -o /dev/null 'http://[2001:1600:18:102::26f]:8080/'

Result:

HTTP/1.1 301 Moved Permanently
Server: Apache/2.4.67 (Debian)
X-Powered-By: PHP/8.3.32
X-Content-Type-Options: nosniff
Vary: Accept-Encoding,Cookie
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: private, must-revalidate, max-age=0
Location: https://ov.430.ch/index.php/Main_Page
Content-Type: text/html; charset=UTF-8

Same result with Host: ov.430.ch.

Interpretation:

  • Apache/PHP/MediaWiki is directly reachable over IPv6 on port 8080.
  • On IPv4, nmap saw 8080/tcp as filtered.
  • If Caddy is supposed to be the only public HTTP entry point, this is a firewall/bind-address mismatch.

Port 6567 on ov.430.ch

[edit]

TCP version probes returned an unrecognized 8-byte binary response pattern on many payloads:

\0\x06\xfe\x04...

Nmap labeled it:

6567/tcp open esp?

Targeted UDP checks:

6567/udp open|filtered esp
27015/udp closed        halflife       (on ov)
27016/udp closed        unknown        (on ov)

On the main host, UDP checks for the small selected set were inconclusive:

6567/udp  open|filtered
27015/udp open|filtered
27016/udp open|filtered

Interpretation:

  • 6567 is the common/default Mindustry server port.
  • Public Mindustry server docs say to allow port 6567 TCP and UDP for server hosting.
  • This does not prove Mindustry, but it is a strong hypothesis.

Reference used:

Port 5355 on ov.430.ch

[edit]

Full TCP scan found:

5355/tcp open llmnr

This appeared on both IPv4 and IPv6 for the ov.430.ch host.

Targeted UDP checks returned:

5355/udp open|filtered llmnr

The version probes against TCP 5355 ran longer than useful and were stopped. No additional service fingerprint was collected.

Interpretation:

  • Port 5355 is normally Link-Local Multicast Name Resolution (LLMNR).
  • LLMNR is not normally useful on the public Internet.
  • If this is truly LLMNR, it should not be exposed externally.
  • If it is another custom service on port 5355, it should be documented and access-controlled.

SSH

[edit]

Both hosts expose SSH:

OpenSSH 10.0p2 Debian 7+deb13u4 (protocol 2.0)

Recommendation:

  • Keep password authentication disabled if possible.
  • Restrict SSH by source IP or VPN if feasible.
  • Ensure root login is disabled.
  • Monitor auth logs.

No authentication attempts were made.

Shodan InternetDB

[edit]

https://internetdb.shodan.io/83.228.241.21:

{
  "cpes": ["cpe:/a:golang:go", "cpe:/a:caddyserver:caddy"],
  "hostnames": ["ov-7fb696.infomaniak.ch"],
  "ip": "83.228.241.21",
  "ports": [80, 443],
  "tags": [],
  "vulns": []
}

https://internetdb.shodan.io/83.228.241.25:

{
  "cpes": [
    "cpe:/o:canonical:ubuntu_linux",
    "cpe:/a:golang:go",
    "cpe:/a:caddyserver:caddy",
    "cpe:/a:openbsd:openssh:9.6p1"
  ],
  "hostnames": ["ov-9520b2.infomaniak.ch"],
  "ip": "83.228.241.25",
  "ports": [22, 80, 443],
  "tags": [],
  "vulns": []
}

Note:

  • Shodan InternetDB did not list the extra 5355, 6567, or IPv6 8080 findings found by direct nmap scanning.
  • InternetDB can be stale or incomplete.

Recursive Mirror

[edit]

Command used for the apex:

wget -r -l inf -np -E -k -p --restrict-file-names=windows -D 430.ch --no-verbose --directory-prefix=/root/recon-430ch/wget https://430.ch/

Result:

Downloaded: 19 files, 1.5M

Mirrored files:

/root/recon-430ch/wget/430.ch/contact-us/1.png
/root/recon-430ch/wget/430.ch/contact-us/index.html
/root/recon-430ch/wget/430.ch/index.html
/root/recon-430ch/wget/430.ch/m/1.webp
/root/recon-430ch/wget/430.ch/m/2.webp
/root/recon-430ch/wget/430.ch/m/3.webp
/root/recon-430ch/wget/430.ch/m/4.webp
/root/recon-430ch/wget/430.ch/m/5.webp
/root/recon-430ch/wget/430.ch/m/6.webp
/root/recon-430ch/wget/430.ch/m/index.html
/root/recon-430ch/wget/430.ch/m/index.html@sort=name&order=asc.html
/root/recon-430ch/wget/430.ch/m/index.html@sort=name&order=desc.html
/root/recon-430ch/wget/430.ch/m/index.html@sort=namedirfirst&order=asc.html
/root/recon-430ch/wget/430.ch/m/index.html@sort=namedirfirst&order=desc.html
/root/recon-430ch/wget/430.ch/m/index.html@sort=size&order=asc.html
/root/recon-430ch/wget/430.ch/m/index.html@sort=size&order=desc.html
/root/recon-430ch/wget/430.ch/m/index.html@sort=time&order=asc.html
/root/recon-430ch/wget/430.ch/m/index.html@sort=time&order=desc.html
/root/recon-430ch/wget/430.ch/robots.txt

Explicit checks for paths seen in search results:

https://430.ch/f/       -> 404
https://430.ch/yagpab/  -> 404

The Google cache endpoint did not return usable cached copies of those paths during testing.

Image and File Metadata

[edit]

File type summary:

1.webp: WebP, 3060x4080
2.webp: WebP, 1932x2576
3.webp: WebP, 1932x2576
4.webp: WebP, 3060x4080
5.webp: WebP, 3060x4080
6.webp: WebP, 4080x3060
contact-us/1.png: PNG, 1600x300

ExifTool findings:

The six WebP files contained basic file/image structure only:

  • File type: WEBP
  • Dimensions
  • No EXIF camera metadata observed.
  • No GPS metadata observed.

The contact PNG retained metadata:

FileType: PNG
ImageSize: 1600x300
Software: GIMP 2.10.36
HistorySoftwareAgent: Gimp 2.10 (Linux)
ModifyDate: 2026:05:09 13:07:27
MetadataDate: 2026:05:09T13:07:27+03:00
CreatorTool: GIMP 2.10
ProfileDescription: GIMP built-in sRGB
ProfileCopyright: Public Domain
Platform: Linux

No GPS metadata was observed in the contact PNG.

SHA-256 hashes of mirrored image assets:

fec1e3af9cc3ffd579f3f67d37933241f36bed186e4ac32efac7f1fdeae3dca8  /root/recon-430ch/wget/430.ch/m/1.webp
f86238f5266c54361c9ef9741b66153442d94b77e6f6550d567bba4e5b6d5668  /root/recon-430ch/wget/430.ch/m/2.webp
47f96eac0bb93acc04e4fb2303c64a61a3f1b15a9995b325ff7146a12333e67f  /root/recon-430ch/wget/430.ch/m/3.webp
369846fc54104174c392f27f80dfe08bd626a18cca5dbf31ef72cb24364389e5  /root/recon-430ch/wget/430.ch/m/4.webp
084b3cb17df8c773e2317668715d14f3211f4fca24ba292f026194c8a01d6a12  /root/recon-430ch/wget/430.ch/m/5.webp
e140aadd64a2e73707536524356d44691aaf6a0713de0f22a1c91543e25e947e  /root/recon-430ch/wget/430.ch/m/6.webp
93d431b374d4882a569931def5ba5937aedc1686f49f281253ad9297eb8f209d  /root/recon-430ch/wget/430.ch/contact-us/1.png

Web Archive and Public Indexing

[edit]

Wayback CDX lookup:

https://web.archive.org/cdx?url=430.ch/*&output=json&fl=timestamp,original,statuscode,mimetype,digest&collapse=urlkey&filter=statuscode:200

Returned historical entries including:

20191223004332  http://430.ch/                                      200 text/html
20160729094455  http://430.ch/robots.txt                            200 text/plain
20231028224700  https://430.ch/.well-known/ai-plugin.json           200 text/html
20231028195934  https://430.ch/.well-known/dnt-policy.txt           200 text/html
20231028201009  https://430.ch/.well-known/gpc.json                 200 text/html
20231029001948  https://430.ch/.well-known/nodeinfo                 200 text/html
20231028193612  https://430.ch/.well-known/openid-configuration     200 text/html
20231028203348  https://430.ch/.well-known/security.txt             200 text/html
20231028223110  https://430.ch/.well-known/trust.txt                200 text/html
20231028194249  https://430.ch/ads.txt                              200 text/html
20231028205649  https://430.ch/app-ads.txt                          200 text/html
20231029024555  https://430.ch/info/                                200 text/html
20231028200842  https://430.ch/parking.php4                         200 text/html
20231028231335  https://430.ch/search/                              200 text/html
20231028204408  https://430.ch/sitemap.xml                          200 text/html

Interpretation:

  • Many 2023 entries look like parked/placeholder behavior rather than current content.
  • Current live checks for those paths returned 404.

URLScan:

  • Querying domain:430.ch returned results for noctron.ch, not direct 430.ch scans.
  • Querying page.domain:"430.ch" returned no results.

Security Observations and Recommendations

[edit]

High Priority

[edit]

Close or restrict 5355/tcp on ov.430.ch

[edit]

Finding:

  • 5355/tcp is open on 83.228.241.25 and 2001:1600:18:102::26f.
  • Nmap labels it llmnr.

Why it matters:

  • LLMNR is generally local-network-only functionality and should not be Internet-facing.
  • If this is not LLMNR, an undocumented public service is still exposed.

Recommended action:

  • Identify the listening process.
  • If unintended, stop it and firewall 5355/tcp and likely 5355/udp.
  • If intended, restrict source IPs and document it.

Example local triage commands on the server:

ss -ltnup | grep ':5355'
systemctl status systemd-resolved

Restrict IPv6 8080/tcp on ov.430.ch

[edit]

Finding:

  • 8080/tcp is open on IPv6 but filtered on IPv4.
  • It exposes Apache/PHP/MediaWiki directly.

Why it matters:

  • If Caddy is intended as the public reverse proxy, direct backend access can bypass proxy-layer controls, logging assumptions, rate limits, or header normalization.
  • IPv6 firewall parity often gets missed.

Recommended action:

  • Bind Apache backend only to loopback if it is only used by Caddy.
  • Otherwise firewall 8080/tcp consistently on IPv4 and IPv6.

Example local triage:

ss -ltnp | grep ':8080'

Confirm 6567/tcp and 6567/udp

[edit]

Finding:

  • 6567/tcp is open on ov.430.ch.
  • 6567/udp is open|filtered.
  • Port 6567 is commonly used by Mindustry.

Recommended action:

  • Confirm whether this is intentional.
  • If it is a game server, consider whether it should be public and whether it needs rate limits or firewall restrictions.
  • If unused, close it.

Medium Priority

[edit]

Add HSTS

[edit]

Finding:

  • HTTPS works well, but HSTS is not configured.

Recommended Caddy-style header:

Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Use a shorter max-age first if you want a low-risk rollout:

Strict-Transport-Security "max-age=86400"

Tighten apex CORS

[edit]

Finding:

  • 430.ch reflects arbitrary origins and allows credentials.

Recommended action:

  • If static files do not need credentialed cross-origin access, remove credentialed CORS headers.
  • If cross-origin reads are required, allowlist specific origins and avoid Access-Control-Allow-Credentials: true unless needed.

Review MediaWiki public exposure on ov.430.ch

[edit]

Finding:

  • Public API exposes version, PHP version, DB version, extension version, skins, users, groups, rights changes, and logs.
  • UI appears to advertise account creation and probable editability.

Recommended action:

  • Decide whether ov.430.ch is intentionally public.
  • If public, keep MediaWiki and extensions patched.
  • If private, restrict anonymous read, API, account creation, and editing.
  • Consider hiding detailed version headers where practical, recognizing that version hiding is defense-in-depth and not a substitute for patching.

Potential MediaWiki settings to review:

$wgGroupPermissions['*']['read']
$wgGroupPermissions['*']['edit']
$wgGroupPermissions['*']['createaccount']
$wgGroupPermissions['*']['writeapi']
$wgShowExceptionDetails

Add CAA records

[edit]

Finding:

  • No apex CAA record observed.

Recommended action:

If only Let's Encrypt and ZeroSSL should issue:

430.ch. CAA 0 issue "letsencrypt.org"
430.ch. CAA 0 issue "sectigo.com"
430.ch. CAA 0 issuewild ";"

Tune this based on actual CA usage. ZeroSSL chains to Sectigo in the observed certificate.

Add MTA-STS and TLS-RPT

[edit]

Finding:

  • No MTA-STS or TLS-RPT records observed.

Recommended action:

Publish:

_mta-sts.430.ch TXT "v=STSv1; id=YYYYMMDD01"
_smtp._tls.430.ch TXT "v=TLSRPTv1; rua=mailto:tlsrpt@430.ch"

Serve an HTTPS policy at:

https://mta-sts.430.ch/.well-known/mta-sts.txt

Example policy:

version: STSv1
mode: testing
mx: aspmx1.migadu.com
mx: aspmx2.migadu.com
max_age: 86400

Move from testing to enforce after confirming reports are clean.

Low Priority / Hygiene

[edit]

Fix missing style.css

[edit]

Finding:

Recommended action:

  • Add the stylesheet or remove the references.

Add security.txt

[edit]

Finding:

  • /.well-known/security.txt returns 404.

Recommended action:

Add a minimal file if you want a clear channel for reports:

Contact: mailto:meighl@430.ch
Preferred-Languages: en
Canonical: https://430.ch/.well-known/security.txt

Consider whether /m/ should be a directory listing

[edit]

Finding:

  • /m/ exposes a Caddy directory listing.

Recommended action:

  • If intentional, no change needed.
  • If not, disable browse/listing and link only specific images.

Remove unnecessary metadata from contact PNG

[edit]

Finding:

  • Contact PNG retains GIMP/XMP metadata.

Risk:

  • Low. No GPS or sensitive camera metadata was found.

Recommended action:

  • Strip metadata from public images as a standard publishing step.

Example:

exiftool -all= image.png

Artifact Inventory

[edit]

Top-level files in /root/recon-430ch:

nmap-http-scripts.txt        3378 bytes
nmap-ipv4-full.txt           796 bytes
nmap-ipv4-top.txt            1653 bytes
nmap-ipv6-full.txt           774 bytes
nmap-ipv6-top.txt            1670 bytes
nmap-ov-5355-ipv6.txt        0 bytes
nmap-ov-5355.txt             0 bytes
nmap-ov-ipv6-specific.txt    1040 bytes
nmap-ov-specific.txt         2900 bytes
nmap-ssl-enum.txt            3547 bytes
nmap-udp-5355-ipv6.txt       709 bytes
nmap-udp-5355.txt            669 bytes
nmap-udp-game-ipv6.txt       873 bytes
nmap-udp-game.txt            833 bytes
robots.txt                   23 bytes
root-http.html               0 bytes
root-https.html              1201 bytes
security.txt                 0 bytes
sitemap.xml                  0 bytes
wget/                        mirrored site

Directory size:

/root/recon-430ch: 1.6M

Commands Used

[edit]

Representative command list:

apt-get update
apt-get install -y dnsutils whois nmap traceroute jq netcat-openbsd ca-certificates
apt-get install -y libimage-exiftool-perl

dig 430.ch ANY
dig 430.ch A 430.ch AAAA 430.ch NS 430.ch SOA 430.ch MX 430.ch TXT 430.ch CAA +noall +answer
dig +short -x 83.228.241.21
whois 430.ch
whois 83.228.241.21
dig AXFR 430.ch @ns11.infomaniak.ch
dig AXFR 430.ch @ns12.infomaniak.ch
dig 430.ch DNSKEY 430.ch DS +noall +answer

curl -sS -D - -o /root/recon-430ch/root-http.html http://430.ch/
curl -sS -D - -o /root/recon-430ch/root-https.html https://430.ch/
curl -sS -D - -o /root/recon-430ch/robots.txt https://430.ch/robots.txt
curl -sS -D - -o /root/recon-430ch/sitemap.xml https://430.ch/sitemap.xml
curl -sS -D - -o /root/recon-430ch/security.txt https://430.ch/.well-known/security.txt
openssl s_client -connect 430.ch:443 -servername 430.ch -showcerts </dev/null

wget -r -l inf -np -E -k -p --restrict-file-names=windows -D 430.ch --no-verbose --directory-prefix=/root/recon-430ch/wget https://430.ch/
wget -r -l inf -np -E -k -p --restrict-file-names=windows -D 430.ch --no-verbose --directory-prefix=/root/recon-430ch/wget https://430.ch/f/
wget -r -l inf -np -E -k -p --restrict-file-names=windows -D 430.ch --no-verbose --directory-prefix=/root/recon-430ch/wget https://430.ch/yagpab/

curl -sS 'https://crt.sh/?q=%25.430.ch&output=json'
curl -sS 'https://rdap.nic.ch/domain/430.ch'
curl -sS 'https://urlscan.io/api/v1/search/?q=domain:430.ch'
curl -sS -L 'https://web.archive.org/cdx?url=430.ch/*&output=json&fl=timestamp,original,statuscode,mimetype,digest&collapse=urlkey&filter=statuscode:200'

nmap -Pn -sS -sV --version-light -T3 --top-ports 1000 83.228.241.21 83.228.241.25 -oN /root/recon-430ch/nmap-ipv4-top.txt
nmap -Pn -6 -sT -sV --version-light -T3 --top-ports 1000 2001:1600:18:102::167 2001:1600:18:102::26f -oN /root/recon-430ch/nmap-ipv6-top.txt
nmap -Pn -sS -T3 -p- --max-retries 2 83.228.241.21 83.228.241.25 -oN /root/recon-430ch/nmap-ipv4-full.txt
nmap -Pn -6 -sT -T3 -p- --max-retries 2 2001:1600:18:102::167 2001:1600:18:102::26f -oN /root/recon-430ch/nmap-ipv6-full.txt
nmap -Pn -p443 --script ssl-enum-ciphers 430.ch ov.430.ch wiki.430.ch staging.430.ch -oN /root/recon-430ch/nmap-ssl-enum.txt
nmap -Pn -p80,443 --script http-title,http-server-header,http-security-headers 430.ch ov.430.ch wiki.430.ch staging.430.ch -oN /root/recon-430ch/nmap-http-scripts.txt
nmap -Pn -sU -sV --version-light -p6567,27015,27016 83.228.241.25 83.228.241.21 -oN /root/recon-430ch/nmap-udp-game.txt
nmap -Pn -6 -sU -sV --version-light -p6567,27015,27016 2001:1600:18:102::26f 2001:1600:18:102::167 -oN /root/recon-430ch/nmap-udp-game-ipv6.txt
nmap -Pn -sU -sV --version-light -p5355 83.228.241.25 83.228.241.21 -oN /root/recon-430ch/nmap-udp-5355.txt
nmap -Pn -6 -sU -sV --version-light -p5355 2001:1600:18:102::26f 2001:1600:18:102::167 -oN /root/recon-430ch/nmap-udp-5355-ipv6.txt

curl -sS 'https://ov.430.ch/api.php?action=query&meta=siteinfo&siprop=general%7Cnamespaces%7Cstatistics%7Cextensions%7Cskins&format=json'
curl -sS 'https://ov.430.ch/api.php?action=query&list=allusers&auprop=groups%7Ceditcount%7Cregistration&format=json'
curl -sS 'https://ov.430.ch/api.php?action=query&list=recentchanges&rcprop=title%7Cids%7Ctimestamp%7Cuser%7Ccomment%7Cflags&rclimit=20&format=json'
curl -sS 'https://ov.430.ch/api.php?action=query&list=logevents&leprop=title%7Ctimestamp%7Cuser%7Ccomment%7Ctype%7Cdetails&lelimit=20&format=json'
curl -sS 'https://wiki.430.ch/api.php?action=query&meta=siteinfo&siprop=general%7Cnamespaces%7Cstatistics%7Cextensions%7Cskins&format=json'

exiftool -a -G1 -s /root/recon-430ch/wget/430.ch/m/*.webp /root/recon-430ch/wget/430.ch/contact-us/1.png
sha256sum /root/recon-430ch/wget/430.ch/m/*.webp /root/recon-430ch/wget/430.ch/contact-us/1.png

Appendix: Raw Nmap Full TCP Output

[edit]

IPv4

[edit]
# Nmap 7.95 scan initiated Thu Jul  9 17:42:08 2026 as: nmap -Pn -sS -T3 -p- --max-retries 2 -oN /root/recon-430ch/nmap-ipv4-full.txt 83.228.241.21 83.228.241.25
Nmap scan report for 430.ch (83.228.241.21)
Host is up (0.064s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
MAC Address: FA:16:3E:46:4B:58 (Unknown)

Nmap scan report for ov.430.ch (83.228.241.25)
Host is up (0.0000090s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
443/tcp  open     https
5355/tcp open     llmnr
6567/tcp open     esp
8080/tcp filtered http-proxy

# Nmap done at Thu Jul  9 17:49:20 2026 -- 2 IP addresses (2 hosts up) scanned in 431.22 seconds

IPv6

[edit]
# Nmap 7.95 scan initiated Thu Jul  9 17:42:08 2026 as: nmap -Pn -6 -sT -T3 -p- --max-retries 2 -oN /root/recon-430ch/nmap-ipv6-full.txt 2001:1600:18:102::167 2001:1600:18:102::26f
Nmap scan report for 430.ch (2001:1600:18:102::167)
Host is up (0.019s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap scan report for ov.430.ch (2001:1600:18:102::26f)
Host is up (0.00014s latency).
Not shown: 65529 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
5355/tcp open  llmnr
6567/tcp open  esp
8080/tcp open  http-proxy

# Nmap done at Thu Jul  9 17:49:57 2026 -- 2 IP addresses (2 hosts up) scanned in 468.20 seconds