Marcotrix.xyz Reconnaissance Report

From Marcopedia
Jump to navigation Jump to search


Marcotrix.xyz Reconnaissance Report

[edit]

Report date: 2026-07-09 UTC

Target: marcotrix.xyz

Verification status: not verified

Primary artifact directory: /root/recon-marcotrix-xyz

Scope and Authorization Boundary

[edit]

This report was produced without domain-owner verification for marcotrix.xyz. Because of that, the work was intentionally narrower than the owner-authorized 430.ch report.

Allowed and performed:

  • Public DNS, WHOIS, RDAP, certificate transparency, public search, Shodan InternetDB, RIPEstat, and Wayback lookups.
  • Ordinary HTTP(S) requests to publicly reachable pages.
  • A shallow same-site wget mirror of linked public web assets.
  • Targeted nmap checks only for ports already identified by passive sources or explicit DNS/service evidence.
  • Local metadata inspection of files downloaded from the public site.

Not performed:

  • Account creation.
  • Login attempts.
  • Writes to any Marcotrix service.
  • Directory brute forcing or web fuzzing.
  • Vulnerability exploitation.
  • Broad UDP scanning.
  • Full TCP port sweep.
  • Publication of this report to a public wiki page.

Executive Summary

[edit]

marcotrix.xyz is a Namecheap-registered .xyz domain created on 2025-11-21. It uses Namecheap/registrar-servers DNS and points its apex to a single OVH Italy VPS address, 57.131.38.220. The same address is also used for mail.marcotrix.xyz, jellyfin.marcotrix.xyz, drive.marcotrix.xyz, and money.marcotrix.xyz.

The public surface visible from limited checks includes:

  • A static Caddy-served apex website.
  • A Caddy reverse-proxied Jellyfin instance on jellyfin.marcotrix.xyz.
  • A Caddy reverse-proxied copyparty instance on drive.marcotrix.xyz.
  • A broken or misconfigured HTTPS service on money.marcotrix.xyz.
  • An HTTPS endpoint for mail.marcotrix.xyz returning 502, while mail DNS points MX to the same host.
  • 5201/tcp open as iperf3.
  • 123/udp open as NTP v4.
  • Strong TLS 1.2/1.3 ciphers on the tested HTTPS names.
  • No HSTS on tested HTTPS names.

Most notable observations:

  1. mail.marcotrix.xyz is the MX target, but SMTP/IMAP/submission ports were filtered or closed in the limited targeted checks. This suggests inbound mail may not work from this vantage point.
  2. drive.marcotrix.xyz exposes a copyparty service title and unauthenticated landing text.
  3. jellyfin.marcotrix.xyz exposes public Jellyfin metadata, including version 10.11.6, server name marcoserver, a private backend address, and an instance ID.
  4. 5201/tcp is open as iperf3; that is normally a benchmarking service and should be closed or restricted unless intentionally public.
  5. 123/udp is open as NTP v4. If public NTP service is not intentional, restrict it.
  6. DNSSEC is unsigned, CAA is absent, SPF is softfail, DMARC is monitor-only, and MTA-STS/TLS-RPT were not observed.

Domain Registration and DNS

[edit]

WHOIS/RDAP showed:

Domain Name: MARCOTRIX.XYZ
Registry Domain ID: D621206912-CNIC
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Creation Date: 2025-11-21T17:05:51.0Z
Updated Date: 2026-01-04T19:34:06.0Z
Registry Expiry Date: 2026-11-21T23:59:59.0Z
Domain Status: clientTransferProhibited
DNSSEC: unsigned
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.9854014545

RDAP source:

https://rdap.centralnic.com/xyz/domain/marcotrix.xyz

RDAP confirmed:

  • Registrar: NameCheap, Inc.
  • DNSSEC delegation signed: false
  • Nameservers:
    • dns1.registrar-servers.com
    • dns2.registrar-servers.com
  • Status: client transfer prohibited

IP Allocation and Hosting

[edit]

The apex A record resolves to:

marcotrix.xyz. A 57.131.38.220

No apex AAAA record was observed.

Reverse DNS:

57.131.38.220 -> mail.marcotrix.xyz.

WHOIS for 57.131.38.220 referred from ARIN to RIPE and showed:

inetnum: 57.131.38.0 - 57.131.38.255
netname: VPS-EU-SOUTH-MIL-VPS-1
country: IT
org: ORG-OS43-RIPE
geoloc: 45.4666 9.1666
abuse-mailbox: abuse@ovh.net
route: 57.131.0.0/17
origin: AS16276

RIPEstat aligned the address to:

resource: 57.131.0.0/17
ASN: 16276
holder: OVH OVH SAS

Interpretation:

  • The host appears to be an OVH VPS in the Italy/Milan region.
  • Abuse contact for the allocation is abuse@ovh.net.

DNS Records

[edit]

Observed apex records:

marcotrix.xyz. A     57.131.38.220
marcotrix.xyz. NS    dns1.registrar-servers.com.
marcotrix.xyz. NS    dns2.registrar-servers.com.
marcotrix.xyz. SOA   dns1.registrar-servers.com. hostmaster.registrar-servers.com. 1782905010 43200 3600 604800 3601
marcotrix.xyz. MX 10 mail.marcotrix.xyz.
marcotrix.xyz. TXT   "v=spf1 mx ~all"

Not observed:

  • Apex AAAA
  • Apex CAA
  • _mta-sts.marcotrix.xyz TXT
  • _smtp._tls.marcotrix.xyz TXT
  • mta-sts.marcotrix.xyz
  • autoconfig.marcotrix.xyz
  • autodiscover.marcotrix.xyz

DMARC:

_dmarc.marcotrix.xyz TXT "v=DMARC1; p=none; rua=mailto:mail@marcotrix.xyz"

Interpretation:

  • SPF is ~all, a softfail policy.
  • DMARC is monitoring-only (p=none).
  • DMARC reports are directed to mail@marcotrix.xyz.
  • No MTA-STS or TLS-RPT records were observed.
  • No CAA record was observed.
  • DNSSEC is unsigned.

Atproto / Bluesky Identity

[edit]

The domain publishes an Atproto handle verification record:

_atproto.marcotrix.xyz TXT "did=did:plc:rs545j57yaqct4qmp7c4aymc"

Bluesky handle resolution:

{"did":"did:plc:rs545j57yaqct4qmp7c4aymc"}

PLC directory record:

{
  "id": "did:plc:rs545j57yaqct4qmp7c4aymc",
  "alsoKnownAs": ["at://marcotrix.xyz"],
  "service": [
    {
      "id": "#atproto_pds",
      "type": "AtprotoPersonalDataServer",
      "serviceEndpoint": "https://gomphus.us-west.host.bsky.network"
    }
  ]
}

Interpretation:

  • marcotrix.xyz is configured as a Bluesky/Atproto handle.
  • The PDS endpoint is hosted by Bluesky infrastructure, not on marcotrix.xyz.

Certificate Transparency and Subdomains

[edit]

Certificate transparency records from crt.sh exposed these names:

Currently resolving during testing:

  • marcotrix.xyz
  • mail.marcotrix.xyz
  • jellyfin.marcotrix.xyz
  • money.marcotrix.xyz
  • drive.marcotrix.xyz

Seen in certificate transparency but not resolving during testing:

  • www.marcotrix.xyz
  • chat.marcotrix.xyz
  • llc.marcotrix.xyz
  • budget.marcotrix.xyz
  • matrix.marcotrix.xyz

Recent/current certificate observations:

marcotrix.xyz
  issuer: Let's Encrypt E7
  notBefore: May 15 22:57:19 2026 GMT
  notAfter:  Aug 13 22:57:18 2026 GMT
  SAN: DNS:marcotrix.xyz

mail.marcotrix.xyz
  issuer: Let's Encrypt E8
  notBefore: May 24 03:47:06 2026 GMT
  notAfter:  Aug 22 03:47:05 2026 GMT
  SAN: DNS:mail.marcotrix.xyz

jellyfin.marcotrix.xyz
  issuer: Let's Encrypt YE2
  notBefore: Jun 26 06:10:01 2026 GMT
  notAfter:  Sep 24 06:10:00 2026 GMT
  SAN: DNS:jellyfin.marcotrix.xyz

drive.marcotrix.xyz
  issuer: Let's Encrypt E8
  notBefore: May 16 13:29:26 2026 GMT
  notAfter:  Aug 14 13:29:25 2026 GMT
  SAN: DNS:drive.marcotrix.xyz

money.marcotrix.xyz had certificate transparency entries, but live TLS connection attempts failed with an internal TLS alert from this vantage point:

curl: (35) TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error

Hostname Resolution and HTTP Behavior

[edit]

Resolution during testing:

marcotrix.xyz            A 57.131.38.220
mail.marcotrix.xyz       A 57.131.38.220
jellyfin.marcotrix.xyz   A 57.131.38.220
money.marcotrix.xyz      A 57.131.38.220
drive.marcotrix.xyz      A 57.131.38.220

No resolution during testing:

www.marcotrix.xyz
chat.marcotrix.xyz
llc.marcotrix.xyz
budget.marcotrix.xyz
matrix.marcotrix.xyz

All tested resolving names used HTTP-to-HTTPS redirects via Caddy:

HTTP/1.1 308 Permanent Redirect
Location: https://<host>/
Server: Caddy

Apex Site

[edit]

https://marcotrix.xyz/:

HTTP/2 200
alt-svc: h3=":443"; ma=2592000
content-type: text/html; charset=utf-8
via: 1.1 Caddy

Root HTML:

<meta name="description" content="Marcotrix homepage" />
<title>Marcotrix</title>
<link rel="stylesheet" href="/style.css" />
...
<h1>Marcotrix</h1>
<div class="photo-frame" aria-label="A rotating Zoe photo">
  <img class="placeholder-image" id="zoe-photo" src="/zoe1.jpg" alt="Zoe" decoding="async" />
</div>
<a class="ink-link" href="/contact/index.html">contact us</a>

JavaScript rotates these public image paths:

/zoe1.jpg
/zoe2.jpg
/zoe3.jpg
/zoe4.jpg
/zoe5.jpg
/zoe6.jpg

HEAD checks confirmed all six image paths returned HTTP/2 200, content-type: image/jpeg, and cache-control: public, max-age=86400.

Contact Page

[edit]

https://marcotrix.xyz/contact/index.html returned HTTP/2 200.

HTML:

<title>Contact</title>
...
<img
  class="cutecatracing"
  src="../mail.png"
  alt="mail at marcotrix dot xyz"
/>

Likely contact address exposed in machine-readable alt text:

mail@marcotrix.xyz

Robots, Sitemap, Security.txt, and Favicon

[edit]

These returned 404 with body Not found:

mail.marcotrix.xyz

[edit]

HTTP redirects to HTTPS.

HTTPS:

HTTP/2 502
server: Caddy
content-length: 0

Interpretation:

  • Caddy has a configured HTTPS site for mail.marcotrix.xyz.
  • The upstream behind it is unavailable, misconfigured, or refusing connections.

jellyfin.marcotrix.xyz

[edit]

HTTPS root:

HTTP/2 302
location: web/
server: Kestrel
via: 1.1 Caddy

https://jellyfin.marcotrix.xyz/web/ returns the Jellyfin web application:

<meta name="application-name" content="Jellyfin">
<meta name="robots" content="noindex, nofollow, noarchive">
<title>Jellyfin</title>

Public Jellyfin metadata endpoint:

https://jellyfin.marcotrix.xyz/System/Info/Public

Returned:

{
  "LocalAddress": "http://172.20.0.3:8096",
  "ServerName": "marcoserver",
  "Version": "10.11.6",
  "ProductName": "Jellyfin Server",
  "OperatingSystem": "",
  "Id": "5b94a56e8601405d8a399c3960d5c546",
  "StartupWizardCompleted": true
}

Interpretation:

  • Jellyfin is exposed through Caddy.
  • The public endpoint reveals version, server name, private backend address, instance ID, and that setup is complete.
  • This is normal for Jellyfin's public info endpoint, but still useful inventory for an attacker.

drive.marcotrix.xyz

[edit]

HTTPS root:

HTTP/2 200
cache-control: no-store, max-age=0
content-type: text/plain; charset=utf-8
vary: Origin, PW, Cookie
via: 1.1 Caddy
content-length: 38

Body:

howdy stranger (you're not logged in)

Nmap HTTP title:

copyparty @ vps-b2134b59-vps-ovh-net

With an explicit Origin header:

access-control-allow-headers: Range
access-control-allow-methods: GET, HEAD
access-control-allow-origin: *
cache-control: no-store, max-age=0
vary: Origin, PW, Cookie

Interpretation:

  • drive.marcotrix.xyz appears to be a copyparty instance.
  • Anonymous users receive a not-logged-in message.
  • CORS allows all origins for GET/HEAD/range-style access.

money.marcotrix.xyz

[edit]

DNS resolves and HTTP redirects to HTTPS:

HTTP/1.1 308 Permanent Redirect
Location: https://money.marcotrix.xyz/
Server: Caddy

HTTPS failed from this vantage point:

TLS connect error: tlsv1 alert internal error

Interpretation:

  • The hostname likely has an incomplete or broken Caddy/TLS/backend configuration.

TLS Findings

[edit]

Nmap ssl-enum-ciphers was run only for live HTTPS hostnames:

  • marcotrix.xyz
  • mail.marcotrix.xyz
  • jellyfin.marcotrix.xyz
  • drive.marcotrix.xyz

All four showed TLS 1.2 and TLS 1.3 with A-rated cipher suites.

TLS 1.2:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A

TLS 1.3:

TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A

Nmap reported:

least strength: A

Manual openssl checks against the apex verified TLS 1.2 and TLS 1.3 negotiation.

HSTS was not configured on tested HTTPS names:

Strict_Transport_Security:
  HSTS not configured in HTTPS Server

Targeted Service Checks

[edit]

Important scope note:

  • A full TCP port sweep was not performed because the domain was not verified.
  • The checks below targeted ports already identified by Shodan InternetDB or by DNS/mail service evidence.

Shodan InternetDB for 57.131.38.220:

{
  "cpes": [
    "cpe:/a:caddyserver:caddy",
    "cpe:/a:golang:go",
    "cpe:/a:ntp:ntp:4"
  ],
  "hostnames": ["mail.marcotrix.xyz"],
  "ip": "57.131.38.220",
  "ports": [80, 123, 143, 443, 465, 587, 993, 5201],
  "tags": ["starttls"],
  "vulns": []
}

Targeted nmap TCP check:

PORT     STATE  SERVICE    VERSION
80/tcp   open   http       Caddy httpd
123/tcp  closed ntp
143/tcp  closed imap
443/tcp  open   ssl/https?
465/tcp  closed smtps
587/tcp  closed submission
993/tcp  closed imaps
5201/tcp open   iperf3

Targeted mail-port check:

25/tcp  filtered smtp
110/tcp closed   pop3
143/tcp closed   imap
465/tcp closed   smtps
587/tcp closed   submission
993/tcp closed   imaps
995/tcp closed   pop3s

Targeted UDP check:

123/udp open ntp NTP v4 (secondary server)

Interpretation:

  • Inbound mail to the advertised MX may not be reachable from this vantage point (25/tcp filtered; submission/IMAP closed).
  • 5201/tcp is open as iperf3, which is typically a network performance testing service.
  • 123/udp is open as NTP v4.

File Mirror and Asset Metadata

[edit]

Shallow mirror command:

wget -r -l 1 -np -E -k -p --restrict-file-names=windows -D marcotrix.xyz --no-verbose --directory-prefix=/root/recon-marcotrix-xyz/wget https://marcotrix.xyz/

Result:

Downloaded: 5 files, 2.7M

Mirrored files:

/root/recon-marcotrix-xyz/wget/marcotrix.xyz/index.html
/root/recon-marcotrix-xyz/wget/marcotrix.xyz/style.css
/root/recon-marcotrix-xyz/wget/marcotrix.xyz/zoe1.jpg
/root/recon-marcotrix-xyz/wget/marcotrix.xyz/contact/index.html
/root/recon-marcotrix-xyz/wget/marcotrix.xyz/mail.png

The shallow mirror only downloaded zoe1.jpg; the other image URLs are JavaScript-discovered and were checked with HEAD requests instead of bulk downloading.

File type summary:

index.html: HTML document, ASCII text
style.css: ASCII text
zoe1.jpg: JPEG image data, EXIF standard, 4032x2268
mail.png: PNG image data, 1833x207
contact/index.html: HTML document, ASCII text

ExifTool for zoe1.jpg:

FileType: JPEG
ImageWidth: 4032
ImageHeight: 2268
Orientation: Horizontal (normal)
ICC Profile DeviceManufacturer: Google
ICC ProfileDescription: sRGB IEC61966-2.1
ICC ProfileCopyright: Copyright (c) 2016 Google Inc.

No GPS metadata was observed in zoe1.jpg.

ExifTool for mail.png:

FileType: PNG
ImageWidth: 1833
ImageHeight: 207
ModifyDate: 2026:06:10 13:44:06

No GPS metadata was observed in mail.png.

SHA-256 hashes:

0ece9b584872c867e884a57082e297107cd78a2c397e3bbf0acce2ecbf82cf13  zoe1.jpg
37087ef2608573bce4b42250a9f6ff19d5563d75d2017b305884d57d2278828b  mail.png
cae0e7336bfce9829c4ba5a5acdab00028ea228bdc250b51c5e898e7ff4da064  style.css
bc1dc4dcc2b71c08cebb2ee9f5706e12b349465afd4648aba944a36d104fab6e  index.html
ff46b46ea05c84ccc812919ae47d3a9d41efe71c282a28b12f95e3f24e9506cd  contact/index.html

Web Archive and Public Indexing

[edit]

Wayback CDX returned current/historical captures from 2026-06-10:

20260610131934 https://marcotrix.xyz/                    200 text/html
20260610131945 https://marcotrix.xyz/contact.html        200 text/html
20260610131934 https://marcotrix.xyz/home-placeholder.svg 200 image/svg+xml
20260610131945 https://marcotrix.xyz/mail.png            200 image/png
20260610131934 https://marcotrix.xyz/style.css           200 text/css

URLScan query for domain:marcotrix.xyz returned no results.

Public web search results were sparse. The notable indexed/public association was the Atproto/Bluesky handle use of marcotrix.xyz.

Security Observations and Remediation Ideas

[edit]

These are defensive observations based on public data only.

High Priority

[edit]

Review 5201/tcp iperf3 exposure

[edit]

Finding:

5201/tcp open iperf3

Why it matters:

  • iperf3 is normally for bandwidth testing, not a public application surface.
  • If left public, it can be abused for unwanted traffic generation or resource consumption.

Recommendation:

  • Close it if not in active use.
  • Restrict it to trusted source IPs if needed.

Confirm inbound mail behavior

[edit]

Finding:

  • MX points to mail.marcotrix.xyz.
  • mail.marcotrix.xyz resolves to 57.131.38.220.
  • 25/tcp was filtered from this vantage point.
  • IMAP/submission ports were closed.
  • https://mail.marcotrix.xyz/ returned 502.

Why it matters:

  • The domain advertises mail service but may not accept inbound mail.
  • DMARC report address is mail@marcotrix.xyz; if mail is broken, aggregate reports may not be received.

Recommendation:

  • Confirm intended mail architecture.
  • If self-hosting, ensure SMTP and mailbox services are intentionally reachable and hardened.
  • If not self-hosting, update MX/SPF/DMARC to match the actual provider.

Review Jellyfin public exposure

[edit]

Finding:

{
  "ServerName": "marcoserver",
  "Version": "10.11.6",
  "LocalAddress": "http://172.20.0.3:8096",
  "Id": "5b94a56e8601405d8a399c3960d5c546"
}

Why it matters:

  • Jellyfin version and instance metadata are publicly visible.
  • Media servers are common targets for credential attacks and known-version vulnerability checks.

Recommendation:

  • Keep Jellyfin current.
  • Require strong authentication.
  • Disable public signups if enabled.
  • Consider restricting access through VPN, SSO, or source allowlists.
  • Monitor authentication logs.

Medium Priority

[edit]

Add HSTS

[edit]

Finding:

  • HSTS was not configured on tested HTTPS names.

Recommendation:

Start conservatively:

Strict-Transport-Security: max-age=86400

Move to a long-lived policy after confirming all subdomains are HTTPS-ready:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Only use preload if all subdomains are intended to be permanently HTTPS-only.

Fix money.marcotrix.xyz TLS/backend configuration

[edit]

Finding:

  • HTTP redirects to HTTPS.
  • HTTPS fails with a TLS internal error.

Recommendation:

  • Check Caddy site block and certificate state for money.marcotrix.xyz.
  • Confirm backend availability.
  • Remove DNS/cert automation for the hostname if unused.

Harden email DNS

[edit]

Current:

SPF:   v=spf1 mx ~all
DMARC: v=DMARC1; p=none; rua=mailto:mail@marcotrix.xyz

Recommendations:

  • Move SPF from softfail to hardfail once valid senders are known:
v=spf1 mx -all
  • Move DMARC from monitoring to enforcement after reports are clean:
v=DMARC1; p=quarantine; rua=mailto:...
v=DMARC1; p=reject; rua=mailto:...
  • Add MTA-STS and TLS-RPT if receiving mail:
_mta-sts.marcotrix.xyz TXT "v=STSv1; id=YYYYMMDD01"
_smtp._tls.marcotrix.xyz TXT "v=TLSRPTv1; rua=mailto:tlsrpt@marcotrix.xyz"

Add CAA

[edit]

Finding:

  • No CAA record was observed.

Recommendation:

If Let's Encrypt is the only intended CA:

marcotrix.xyz. CAA 0 issue "letsencrypt.org"
marcotrix.xyz. CAA 0 issuewild ";"

Adjust this if other CAs are intentionally used.

Consider DNSSEC

[edit]

Finding:

  • RDAP reports DNSSEC unsigned.

Recommendation:

  • Enable DNSSEC at the DNS provider if operationally comfortable.

Low Priority / Hygiene

[edit]

Add security.txt

[edit]

Finding:

  • /.well-known/security.txt returned 404.

Recommendation:

Add a basic security contact if the owner wants coordinated reports:

Contact: mailto:mail@marcotrix.xyz
Preferred-Languages: en
Canonical: https://marcotrix.xyz/.well-known/security.txt

Add or intentionally omit robots.txt and sitemap.xml

[edit]

Finding:

  • Both returned 404.

This is not inherently a vulnerability. Add them only if useful for indexing control.

Strip unnecessary image metadata

[edit]

No GPS metadata was observed, but stripping metadata from public images is still a reasonable default publishing step.

Artifact Inventory

[edit]

Top-level files:

/root/recon-marcotrix-xyz/favicon.ico                     9 bytes
/root/recon-marcotrix-xyz/nmap-http-scripts.txt           2397 bytes
/root/recon-marcotrix-xyz/nmap-mail-targeted.txt          collected targeted mail scan
/root/recon-marcotrix-xyz/nmap-ssl-enum.txt               3297 bytes
/root/recon-marcotrix-xyz/nmap-targeted-passive-ports.txt 709 bytes
/root/recon-marcotrix-xyz/nmap-udp-123.txt                508 bytes
/root/recon-marcotrix-xyz/robots.txt                      9 bytes
/root/recon-marcotrix-xyz/root-http.html                  0 bytes
/root/recon-marcotrix-xyz/root-https.html                 1155 bytes
/root/recon-marcotrix-xyz/security.txt                    9 bytes
/root/recon-marcotrix-xyz/sitemap.xml                     9 bytes
/root/recon-marcotrix-xyz/wget/                           shallow mirror

Directory size:

/root/recon-marcotrix-xyz: 2.8M

Representative Commands Used

[edit]
dig marcotrix.xyz A marcotrix.xyz AAAA marcotrix.xyz NS marcotrix.xyz SOA marcotrix.xyz MX marcotrix.xyz TXT marcotrix.xyz CAA +noall +answer
whois marcotrix.xyz
whois 57.131.38.220
dig +short -x 57.131.38.220

curl -sS -D - -o /root/recon-marcotrix-xyz/root-http.html http://marcotrix.xyz/
curl -sS -D - -o /root/recon-marcotrix-xyz/root-https.html https://marcotrix.xyz/
curl -sS -D - -o /root/recon-marcotrix-xyz/robots.txt https://marcotrix.xyz/robots.txt
curl -sS -D - -o /root/recon-marcotrix-xyz/sitemap.xml https://marcotrix.xyz/sitemap.xml
curl -sS -D - -o /root/recon-marcotrix-xyz/security.txt https://marcotrix.xyz/.well-known/security.txt

curl -sS 'https://crt.sh/?q=%25.marcotrix.xyz&output=json'
curl -sS 'https://internetdb.shodan.io/57.131.38.220'
curl -sS 'https://rdap.centralnic.com/xyz/domain/marcotrix.xyz'
curl -sS 'https://stat.ripe.net/data/prefix-overview/data.json?resource=57.131.38.220'
curl -sS -L 'https://web.archive.org/cdx?url=marcotrix.xyz/*&output=json&fl=timestamp,original,statuscode,mimetype,digest&collapse=urlkey&filter=statuscode:200'

wget -r -l 1 -np -E -k -p --restrict-file-names=windows -D marcotrix.xyz --no-verbose --directory-prefix=/root/recon-marcotrix-xyz/wget https://marcotrix.xyz/

nmap -Pn -sT -sV --version-light -p80,123,143,443,465,587,993,5201 57.131.38.220 -oN /root/recon-marcotrix-xyz/nmap-targeted-passive-ports.txt
nmap -Pn -sT -sV --version-light -p25,110,143,465,587,993,995 57.131.38.220 -oN /root/recon-marcotrix-xyz/nmap-mail-targeted.txt
nmap -Pn -sU -sV --version-light -p123 57.131.38.220 -oN /root/recon-marcotrix-xyz/nmap-udp-123.txt
nmap -Pn -p443 --script ssl-enum-ciphers marcotrix.xyz mail.marcotrix.xyz jellyfin.marcotrix.xyz drive.marcotrix.xyz -oN /root/recon-marcotrix-xyz/nmap-ssl-enum.txt
nmap -Pn -p80,443 --script http-title,http-server-header,http-security-headers marcotrix.xyz mail.marcotrix.xyz jellyfin.marcotrix.xyz drive.marcotrix.xyz -oN /root/recon-marcotrix-xyz/nmap-http-scripts.txt

curl -sS https://jellyfin.marcotrix.xyz/System/Info/Public
curl -sS https://bsky.social/xrpc/com.atproto.identity.resolveHandle?handle=marcotrix.xyz
curl -sS https://plc.directory/did:plc:rs545j57yaqct4qmp7c4aymc

exiftool -a -G1 -s /root/recon-marcotrix-xyz/wget/marcotrix.xyz/zoe1.jpg /root/recon-marcotrix-xyz/wget/marcotrix.xyz/mail.png
sha256sum /root/recon-marcotrix-xyz/wget/marcotrix.xyz/zoe1.jpg /root/recon-marcotrix-xyz/wget/marcotrix.xyz/mail.png /root/recon-marcotrix-xyz/wget/marcotrix.xyz/style.css /root/recon-marcotrix-xyz/wget/marcotrix.xyz/index.html /root/recon-marcotrix-xyz/wget/marcotrix.xyz/contact/index.html

Appendix: Raw Targeted Nmap Output

[edit]

Passive-Port Targeted TCP Check

[edit]
# Nmap 7.95 scan initiated Thu Jul  9 18:18:23 2026 as: nmap -Pn -sT -sV --version-light -p80,123,143,443,465,587,993,5201 -oN /root/recon-marcotrix-xyz/nmap-targeted-passive-ports.txt 57.131.38.220
Nmap scan report for mail.marcotrix.xyz (57.131.38.220)
Host is up (0.011s latency).

PORT     STATE  SERVICE    VERSION
80/tcp   open   http       Caddy httpd
123/tcp  closed ntp
143/tcp  closed imap
443/tcp  open   ssl/https?
465/tcp  closed smtps
587/tcp  closed submission
993/tcp  closed imaps
5201/tcp open   iperf3

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul  9 18:18:29 2026 -- 1 IP address (1 host up) scanned in 6.35 seconds

Targeted Mail-Port Check

[edit]
# Nmap 7.95 scan initiated Thu Jul  9 18:19:37 2026 as: nmap -Pn -sT -sV --version-light -p25,110,143,465,587,993,995 -oN /root/recon-marcotrix-xyz/nmap-mail-targeted.txt 57.131.38.220
Nmap scan report for mail.marcotrix.xyz (57.131.38.220)
Host is up (0.010s latency).

PORT    STATE    SERVICE    VERSION
25/tcp  filtered smtp
110/tcp closed   pop3
143/tcp closed   imap
465/tcp closed   smtps
587/tcp closed   submission
993/tcp closed   imaps
995/tcp closed   pop3s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul  9 18:19:38 2026 -- 1 IP address (1 host up) scanned in 1.43 seconds

Targeted UDP NTP Check

[edit]
# Nmap 7.95 scan initiated Thu Jul  9 18:18:51 2026 as: nmap -Pn -sU -sV --version-light -p123 -oN /root/recon-marcotrix-xyz/nmap-udp-123.txt 57.131.38.220
Nmap scan report for mail.marcotrix.xyz (57.131.38.220)
Host is up (0.010s latency).

PORT    STATE SERVICE VERSION
123/udp open  ntp     NTP v4 (secondary server)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul  9 18:18:51 2026 -- 1 IP address (1 host up) scanned in 0.29 seconds