430.ch Reconnaissance Report
430.ch Reconnaissance Report
[edit]Report date: 2026-07-09 UTC
Target: 430.ch
Requester: site owner
Operator: Codex in /root
Primary artifact directory: /root/recon-430ch
Scope and Approach
[edit]This was a non-intrusive public reconnaissance pass. The work intentionally stayed within:
- DNS, WHOIS, RDAP, certificate transparency, and public web/archive lookups.
- Normal HTTP(S) requests to publicly reachable pages.
- A same-domain recursive
wgetmirror of linked and explicitly known public paths. - Nmap service discovery and full TCP port scans against resolved target hosts.
- Local metadata inspection of files downloaded from the public site.
This did not include:
- Authentication attempts.
- Password guessing.
- Exploit scripts or vulnerability exploitation.
- Web fuzzing, directory brute force, or high-rate scanning.
- Attempts to bypass MediaWiki access controls.
- Writes to the site or MediaWiki API.
Tools installed for the recon:
dnsutilswhoisnmaptraceroutejqnetcat-openbsdlibimage-exiftool-perl
Tools already present and used:
curlwgetopensslhostpython3
Executive Summary
[edit]430.ch is hosted on Infomaniak infrastructure and uses Infomaniak for registrar/DNS. The apex site is a small Caddy-served static site with a public image directory under /m/ and a public contact page. Mail is delegated to Migadu.
The currently live externally visible surface consists of:
- Apex/static host:
430.ch,staging.430.ch, andwiki.430.chon83.228.241.21/2001:1600:18:102::167. - Separate
ov.430.chhost on83.228.241.25/2001:1600:18:102::26f. - HTTPS on all live hostnames, backed by Caddy.
ov.430.chandwiki.430.chare MediaWiki installations behind Caddy and Apache.- SSH exposed on both discovered hosts.
ov.430.chexposes additional ports:5355/tcp,6567/tcp, and8080/tcpon IPv6.
Most notable owner-action items:
5355/tcpis open onov.430.ch. This is unusual on the public Internet because port 5355 is normally associated with LLMNR. Close or restrict it unless there is a deliberate use.8080/tcpis open on IPv6 forov.430.chand exposes Apache/MediaWiki directly. It is filtered on IPv4. If this is meant to be only a backend listener behind Caddy, bind it to loopback or firewall it on IPv6.6567/tcpis open onov.430.ch, and6567/udpisopen|filtered. This matches the common Mindustry game-server port. Confirm whether it is intentional.- HSTS is not configured on the HTTPS services.
- The apex CORS policy is broad: it reflects arbitrary
Originand setsAccess-Control-Allow-Credentials: true. The current root site is static, so impact is limited, but the policy is unnecessarily permissive if not intentional. - Mail DNS is mostly reasonable but could be improved with CAA, MTA-STS, and TLS-RPT.
ov.430.chexposes public MediaWiki site information, users, rights changes, versions, and extension metadata. That may be acceptable for a public wiki, but it is worth reviewing.
Public Registration and Hosting
[edit]Domain
[edit]WHOIS/RDAP showed:
- Domain:
430.ch - Registrar: Infomaniak Network SA
- Registrar address in RDAP/WHOIS: Rue Eugene-Marziano 25, CH-1227 Les Acacias, Switzerland
- First registration date:
2006-08-23 - Status: active
- DNSSEC: enabled / delegated signed
- Nameservers:
ns11.infomaniak.ch/93.88.255.151ns12.infomaniak.ch/93.88.255.152
RDAP source used:
IP Allocation
[edit]WHOIS for 83.228.241.21 showed:
- Range:
83.228.240.0 - 83.228.247.255 - Netname:
INFOMANIAK-CLOUD - Country: CH
- Organization role: Infomaniak Network SA
- Abuse contact:
abuse@infomaniak.ch - Route:
83.228.241.0/24 - Origin AS:
AS29222
RIPEstat aligned the queried IPv4 to:
- Announced prefix:
83.228.192.0/18 - ASN:
AS29222 - Holder:
Infomaniak-AS Infomaniak Network SA
RIPEstat source used:
Reverse DNS:
83.228.241.21->430.ch.- Nmap/Shodan InternetDB additionally associated:
83.228.241.21withov-7fb696.infomaniak.ch83.228.241.25withov-9520b2.infomaniak.ch
DNS Findings
[edit]Apex DNS
[edit]Observed DNS records:
430.ch. A 83.228.241.21 430.ch. AAAA 2001:1600:18:102::167 430.ch. NS ns11.infomaniak.ch. 430.ch. NS ns12.infomaniak.ch. 430.ch. SOA ns11.infomaniak.ch. hostmaster.infomaniak.ch. 2026070901 10800 3600 605800 3600 430.ch. MX 10 aspmx1.migadu.com. 430.ch. MX 20 aspmx2.migadu.com. 430.ch. TXT "v=spf1 include:spf.migadu.com -all" 430.ch. TXT "hosted-email-verify=rr8nx23r"
DNSSEC material observed:
430.ch. DNSKEY 257 3 13 jEm3bqIc72OUI4WxLeIbjruJjSEsc7+1+owlZ7nNA0TQQXM48U6QmFEC d5NBgwCpbw4CD/NO0Eb8CHYwjULKVg== 430.ch. DNSKEY 256 3 13 ytZkmQTTXPEwaXQAsxneIoPYayM4WAdxJ6rR2N411+PptsaPPyDSYSCw WzLI1lYAXdrPWBQ9yjgiBsskkPbBOQ== 430.ch. DS 7440 13 2 5A7F7CC05DE155C279B8F23093633694415BAABACA92F4B93D7C514C DB9F10B4
Mail-Related DNS
[edit]Observed:
_dmarc.430.ch TXT "v=DMARC1; p=quarantine;" autoconfig.430.ch CNAME autoconfig.migadu.com. autoconfig.migadu.com A 141.94.97.141 autoconfig.migadu.com AAAA 2001:41d0:403:488d::
Not found:
_mta-sts.430.ch TXT_smtp._tls.430.ch TXTmta-sts.430.chmail.430.chsmtp.430.chimap.430.chautodiscover.430.chCAAat the apex
Interpretation:
- SPF is strict because of
-all. - DMARC is present but not at the strictest enforcement level (
quarantine, notreject). - MTA-STS and TLS-RPT are not configured.
- No CAA means any publicly trusted CA can issue for the domain, subject to normal CA validation.
Zone Transfer
[edit]AXFR was attempted against both authoritative nameservers:
dig AXFR 430.ch @ns11.infomaniak.ch dig AXFR 430.ch @ns12.infomaniak.ch
Result:
Transfer failed.
This is the desired behavior.
Certificate Transparency and Subdomains
[edit]Certificate transparency lookup through crt.sh exposed these names:
Current or recent:
430.chstaging.430.chov.430.chwiki.430.ch
Historical or not currently resolving during testing:
www.430.chcsgo.430.ch2ca.430.ch- Historical wildcard certificate entries for
*.430.ch
Observed CT entries of interest:
staging.430.ch Issuer: Let's Encrypt YE2 not_before: 2026-07-09T15:11:48 not_after: 2026-10-07T15:11:47 ov.430.ch Issuer: Let's Encrypt YE1 not_before: 2026-07-03T20:43:41 not_after: 2026-10-01T20:43:40 wiki.430.ch Issuer: Let's Encrypt YE1 not_before: 2026-07-03T14:41:56 not_after: 2026-10-01T14:41:55 430.ch Issuer: ZeroSSL ECC DV SSL CA 2 not_before: 2026-06-19T00:00:00 not_after: 2026-09-17T23:59:59
Current DNS resolution during testing:
430.ch A: 83.228.241.21 AAAA: 2001:1600:18:102::167 staging.430.ch CNAME-style answer via 430.ch A: 83.228.241.21 AAAA: 2001:1600:18:102::167 wiki.430.ch CNAME-style answer via 430.ch A: 83.228.241.21 AAAA: 2001:1600:18:102::167 ov.430.ch A: 83.228.241.25 AAAA: 2001:1600:18:102::26f www.430.ch No resolution during testing csgo.430.ch No resolution during testing 2ca.430.ch No resolution during testing
Source used:
HTTP and HTTPS Findings
[edit]Apex HTTP
[edit]HTTP/1.1 308 Permanent Redirect Location: https://430.ch/ Server: Caddy Content-Length: 0
Apex HTTPS
[edit]HTTP/2 200 accept-ranges: bytes access-control-allow-credentials: true access-control-allow-origin: access-control-expose-headers: * alt-svc: h3=":443"; ma=2592000 content-type: text/html; charset=utf-8 etag: "thv7n5xd" last-modified: Wed, 08 Jul 2026 16:40:17 GMT server: Caddy vary: Origin content-length: 1201
With an explicit origin header:
curl -H 'Origin: https://example.com' https://430.ch/ access-control-allow-credentials: true access-control-allow-origin: https://example.com access-control-expose-headers: * vary: Origin
Interpretation:
- The server reflects arbitrary origins and allows credentials.
- Current content is static, so the practical risk is limited today.
- This is still broader than necessary unless cross-origin credentialed reads are deliberately needed.
Root Page Content
[edit]The root HTML:
- Has title
430.ch. - Uses inline CSS.
- Displays an image with id
bopis. - The image source is selected by JavaScript from
/m/1.webpthrough/m/6.webp. - Changes the image every 10 seconds.
- Links:
/m//contact-us/https://noctron.ch/https://aivaras.xyz/
Relevant source excerpt:
<a href="/m/"> <img id="bopis"> </a>
<p>
<s>©</s> 430.ch | <a href="/contact-us/">Contact Us</a> | See also: <a href="https://noctron.ch/">noctron.ch</a>, <a href="https://aivaras.xyz/">aivaras.xyz</a>
</p>
<script type="text/javascript">
var photos = ["1.webp", "2.webp", "3.webp", "4.webp", "5.webp", "6.webp"];
...
document.getElementById("bopis").src = "/m/" + photos[i];
</script>
Robots, Sitemap, and Well-Known Files
[edit]User-agent: * Allow: /
Not present:
https://430.ch/sitemap.xmlreturned404.https://430.ch/.well-known/security.txtreturned404.- Historical Web Archive entries existed for various
.well-knownpaths, but current live checks returned404.
Current live checks returning 404:
/.well-known/ai-plugin.json/.well-known/dnt-policy.txt/.well-known/gpc.json/.well-known/nodeinfo/.well-known/openid-configuration/ads.txt/app-ads.txt/info//search/
Missing Stylesheet
[edit]Several pages reference:
https://430.ch/style.css
Current result:
HTTP/2 404 server: Caddy content-length: 0
Impact:
- Cosmetic / hygiene issue.
- It may produce avoidable browser console noise.
/m/ Directory
[edit]https://430.ch/m/ is a public Caddy directory listing.
Files discovered:
1.webp 218 KiB 2.webp 119 KiB 3.webp 112 KiB 4.webp 349 KiB 5.webp 173 KiB 6.webp 290 KiB
The directory index includes sortable Caddy listing links:
?sort=namedirfirst&order=desc ?sort=name&order=asc ?sort=size&order=asc ?sort=time&order=asc ?sort=namedirfirst&order=asc ?sort=name&order=desc ?sort=size&order=desc ?sort=time&order=desc
The mirrored copies are stored in:
/root/recon-430ch/wget/430.ch/m/
/contact-us/
[edit]https://430.ch/contact-us/ is a small static page.
HTML:
<!DOCTYPE html>
<html> <head>
<title>Contact Us</title>
<link rel="stylesheet" href="https://430.ch/style.css">
</head> <body>
<center>
<img src="1.png" alt="meighl at four hundred and thirty dot ch">
</center>
</body> </html>
The image alt text exposes a likely contact address:
meighl@430.ch
This is already public in machine-readable HTML despite being visually represented by an image.
Linked External Domains
[edit]The root page links noctron.ch and aivaras.xyz.
Both resolved to the same host as the apex:
noctron.ch A: 83.228.241.21 AAAA: 2001:1600:18:102::167 aivaras.xyz A: 83.228.241.21 AAAA: 2001:1600:18:102::167
<title>noctron.ch</title> <link rel="stylesheet" href="https://430.ch/style.css"> ... <a href="https://noctron.ch/">noctron.ch</a> → <a href="https://430.ch/">430.ch</a>
<title>aivaras.xyz</title> <link rel="stylesheet" href="https://430.ch/style.css"> ... <a href="https://aivaras.xyz/">aivaras.xyz</a> → <a href="https://430.ch/">430.ch</a>
Both also reference the missing https://430.ch/style.css.
Hostname-Specific Behavior
[edit]staging.430.ch
[edit]Resolution:
staging.430.ch -> 430.ch -> 83.228.241.21 / 2001:1600:18:102::167
HTTP:
HTTP/1.1 308 Permanent Redirect Location: https://staging.430.ch/ Server: Caddy
HTTPS:
HTTP/2 200 server: Caddy content-type: text/html; charset=utf-8 content-length: 61 last-modified: Thu, 09 Jul 2026 16:13:09 GMT
Body:
<meta http-equiv="refresh" content="0; url=https://430.ch/">
Interpretation:
- This is live and public.
- It is a simple redirect-by-meta-refresh rather than an HTTP redirect.
wiki.430.ch
[edit]Resolution:
wiki.430.ch -> 430.ch -> 83.228.241.21 / 2001:1600:18:102::167
HTTP:
HTTP/1.1 308 Permanent Redirect Location: https://wiki.430.ch/ Server: Caddy
HTTPS headers:
HTTP/2 200 server: Caddy server: Apache/2.4.67 (Debian) content-type: text/html; charset=UTF-8 cache-control: no-cache, no-store, max-age=0, must-revalidate expires: Thu, 01 Jan 1970 00:00:00 GMT x-content-type-options: nosniff x-frame-options: DENY x-powered-by: PHP/8.3.32
Page:
- Title:
Login required - Aivaropedia - Generator meta tag:
MediaWiki 1.46.0 - Site name:
Aivaropedia - Anonymous page body:
Please log in to view other pages. - Search UI is visible.
- Login link is visible.
- Atom feed link for
Special:RecentChangesis advertised in HTML.
API read attempt:
{
"error": {
"code": "readapidenied",
"info": "You need read permission to use this module.",
"*": "See https://wiki.430.ch/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/> for notice of API deprecations and breaking changes."
}
}
Interpretation:
- Read access is denied via the API, which is consistent with a private wiki.
- Some platform information is still exposed in HTML and headers:
- MediaWiki 1.46.0
- PHP 8.3.32
- Apache 2.4.67 (Debian)
X-Frame-Options: DENYandX-Content-Type-Options: nosniffare present.- HSTS is not configured.
ov.430.ch
[edit]Resolution:
ov.430.ch A 83.228.241.25 ov.430.ch AAAA 2001:1600:18:102::26f
HTTP:
HTTP/1.1 308 Permanent Redirect Location: https://ov.430.ch/ Server: Caddy
HTTPS:
HTTP/2 301 location: https://ov.430.ch/index.php/Main_Page server: Caddy server: Apache/2.4.67 (Debian) x-content-type-options: nosniff x-powered-by: PHP/8.3.32
After redirect:
- Page title:
Marcopedia - Main page:
Main Page - Generator meta tag:
MediaWiki 1.46.0 - Default content:
MediaWiki has been installed. - The page is probably editable for anonymous users according to
RLCONF:wgIsProbablyEditable: truewgRelevantPageIsProbablyEditable: truewgRestrictionEdit: []wgRestrictionMove: []
- Personal tools include:
- Create account
- Log in
- Anonymous talk/contributions links
Important note:
- I did not try to edit, create an account, or write through the API.
- The editability observation is based on public MediaWiki page configuration and UI, not a write attempt.
MediaWiki ov.430.ch API Findings
[edit]Public siteinfo endpoint:
https://ov.430.ch/api.php?action=query&meta=siteinfo&siprop=general|namespaces|statistics|extensions|skins&format=json
General:
mainpage: Main Page base: https://ov.430.ch/index.php/Main_Page sitename: Marcopedia generator: MediaWiki 1.46.0 phpversion: 8.3.32 phpsapi: apache2handler dbtype: mysql dbversion: 12.3.2-MariaDB-ubu2404 lang: en timezone: UTC articlepath: /index.php/$1 scriptpath: script: /index.php server: https://ov.430.ch servername: ov.430.ch wikiid: my_wiki maxuploadsize: 104857600
Statistics:
pages: 1 articles: 0 edits: 1 images: 0 users: 2 activeusers: 1 admins: 2 jobs: 0
Skins:
MinervaNeue MonoBook Timeless 0.9.1 Vector 1.0.0 Vector legacy (2010) default
Extension:
MediaWikiChat version: 2.25.0 author: Adam Carter/UltrasonicNXT vcs-version: f19bf98d07cdeeaefcceab81dcdd407b039d4451 vcs-date: 2026-06-15T08:20:07Z
Public allusers query:
{
"userid": 3,
"name": "Aivaras",
"editcount": 1,
"registration": "2026-07-03T22:32:35Z",
"groups": ["*", "user", "autoconfirmed", "bot", "bureaucrat", "interface-admin", "suppress", "sysop"]
}
{
"userid": 2,
"name": "Marco",
"editcount": 0,
"registration": "2026-07-03T21:39:57Z",
"groups": ["*", "user", "autoconfirmed", "bureaucrat", "interface-admin", "sysop"]
}
{
"userid": 1,
"name": "MediaWiki default",
"editcount": 0,
"registration": "2026-07-03T21:39:57Z",
"groups": ["*", "user", "autoconfirmed"]
}
Recent changes:
2026-07-04T10:35:06Z type: new title: Marco user: Aivaras comment: Created blank page 2026-07-03T22:35:07Z type: log title: User:Aivaras user: Marco 2026-07-03T22:34:31Z type: log title: User:Aivaras user: Marco 2026-07-03T22:34:11Z type: log title: User:Aivaras user: Marco 2026-07-03T22:32:35Z type: log title: User:Aivaras user: Aivaras
Log events:
2026-07-04T10:35:06Z create: Marco user: Aivaras comment: Created blank page 2026-07-03T22:35:07Z rights change for User:Aivaras user: Marco oldgroups: bureaucrat, sysop newgroups: bot, bureaucrat, interface-admin, suppress, sysop 2026-07-03T22:34:31Z rights change for User:Aivaras user: Marco oldgroups: sysop newgroups: bureaucrat, sysop 2026-07-03T22:34:11Z rights change for User:Aivaras user: Marco oldgroups: none newgroups: sysop 2026-07-03T22:32:35Z new user: Aivaras created by: Aivaras 2026-07-03T21:39:57Z create: Main Page user: MediaWiki default
Anonymous CSRF token request:
{"batchcomplete":"","query":{"tokens":{"csrftoken":"+\\"}}}
Interpretation:
- This is the normal anonymous no-permission token and does not indicate successful write capability.
- No write was attempted.
TLS Findings
[edit]Certificates
[edit]430.ch:
subject=CN=430.ch issuer=C=AT, O=ZeroSSL GmbH, CN=ZeroSSL ECC DV SSL CA 2 notBefore=Jun 19 00:00:00 2026 GMT notAfter=Sep 17 23:59:59 2026 GMT SAN: DNS:430.ch
ov.430.ch:
subject=CN=ov.430.ch issuer=C=US, O=Let's Encrypt, CN=YE1 notBefore=Jul 3 20:43:41 2026 GMT notAfter=Oct 1 20:43:40 2026 GMT SAN: DNS:ov.430.ch
wiki.430.ch:
subject=CN=wiki.430.ch issuer=C=US, O=Let's Encrypt, CN=YE1 notBefore=Jul 3 14:41:56 2026 GMT notAfter=Oct 1 14:41:55 2026 GMT SAN: DNS:wiki.430.ch
staging.430.ch:
subject=CN=staging.430.ch issuer=C=US, O=Let's Encrypt, CN=YE2 notBefore=Jul 9 15:11:48 2026 GMT notAfter=Oct 7 15:11:47 2026 GMT SAN: DNS:staging.430.ch
Protocols and Ciphers
[edit]Nmap ssl-enum-ciphers found TLS 1.2 and TLS 1.3 across 430.ch, ov.430.ch, wiki.430.ch, and staging.430.ch.
TLS 1.2 ciphers:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - A TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - A TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - A
TLS 1.3 ciphers:
TLS_AKE_WITH_AES_128_GCM_SHA256 - A TLS_AKE_WITH_AES_256_GCM_SHA384 - A TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 - A
Nmap reported:
least strength: A
Manual openssl s_client checks verified successful TLS 1.2 and TLS 1.3 negotiation. TLS 1.0/1.1 forced checks did not negotiate TLS 1.0/1.1.
HSTS
[edit]Nmap http-security-headers reported HSTS missing for:
430.chov.430.chwiki.430.chstaging.430.ch
Example:
Strict_Transport_Security: HSTS not configured in HTTPS Server
Recommendation:
Add HSTS after confirming all subdomains intended to use HTTPS are ready:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Use includeSubDomains and preload only if you are comfortable committing all subdomains to HTTPS.
Network Service Findings
[edit]Full TCP Scan Summary
[edit]IPv4 full TCP scan command:
nmap -Pn -sS -T3 -p- --max-retries 2 83.228.241.21 83.228.241.25 -oN /root/recon-430ch/nmap-ipv4-full.txt
IPv6 full TCP scan command:
nmap -Pn -6 -sT -T3 -p- --max-retries 2 2001:1600:18:102::167 2001:1600:18:102::26f -oN /root/recon-430ch/nmap-ipv6-full.txt
83.228.241.21 / 2001:1600:18:102::167:
22/tcp open ssh 80/tcp open http 443/tcp open https
IPv4 notes:
Not shown: 65532 filtered tcp ports (no-response)
IPv6 notes:
Not shown: 65532 filtered tcp ports (no-response)
83.228.241.25 / 2001:1600:18:102::26f:
IPv4:
22/tcp open ssh 80/tcp open http 443/tcp open https 5355/tcp open llmnr 6567/tcp open esp 8080/tcp filtered http-proxy
IPv6:
22/tcp open ssh 80/tcp open http 443/tcp open https 5355/tcp open llmnr 6567/tcp open esp 8080/tcp open http-proxy
Nmap labels for 5355, 6567, and 8080 should be interpreted carefully:
5355is conventionally LLMNR, but version probes did not complete with a more certain identification before being stopped.6567was labeledesp?by nmap because the response fingerprint was not recognized. The port number and behavior align with a likely game service, especially Mindustry.8080on IPv6 was confirmed by service detection as Apache HTTPD2.4.67 (Debian).
Top-Port Version Scan
[edit]Top-port version scan found:
430.ch host:
22/tcp open ssh OpenSSH 10.0p2 Debian 7+deb13u4 (protocol 2.0) 80/tcp open http Caddy httpd 443/tcp open ssl/https?
ov.430.ch host:
22/tcp open ssh OpenSSH 10.0p2 Debian 7+deb13u4 (protocol 2.0) 80/tcp open http Caddy httpd 443/tcp open ssl/https? 6567/tcp open esp? 8080/tcp filtered http-proxy (IPv4) 8080/tcp open http Apache httpd 2.4.67 ((Debian)) (IPv6)
Port 8080 on ov.430.ch
[edit]IPv6 direct request:
curl -g -D - -o /dev/null 'http://[2001:1600:18:102::26f]:8080/'
Result:
HTTP/1.1 301 Moved Permanently Server: Apache/2.4.67 (Debian) X-Powered-By: PHP/8.3.32 X-Content-Type-Options: nosniff Vary: Accept-Encoding,Cookie Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: private, must-revalidate, max-age=0 Location: https://ov.430.ch/index.php/Main_Page Content-Type: text/html; charset=UTF-8
Same result with Host: ov.430.ch.
Interpretation:
- Apache/PHP/MediaWiki is directly reachable over IPv6 on port 8080.
- On IPv4, nmap saw
8080/tcpasfiltered. - If Caddy is supposed to be the only public HTTP entry point, this is a firewall/bind-address mismatch.
Port 6567 on ov.430.ch
[edit]TCP version probes returned an unrecognized 8-byte binary response pattern on many payloads:
\0\x06\xfe\x04...
Nmap labeled it:
6567/tcp open esp?
Targeted UDP checks:
6567/udp open|filtered esp 27015/udp closed halflife (on ov) 27016/udp closed unknown (on ov)
On the main host, UDP checks for the small selected set were inconclusive:
6567/udp open|filtered 27015/udp open|filtered 27016/udp open|filtered
Interpretation:
6567is the common/default Mindustry server port.- Public Mindustry server docs say to allow port
6567TCP and UDP for server hosting. - This does not prove Mindustry, but it is a strong hypothesis.
Reference used:
Port 5355 on ov.430.ch
[edit]Full TCP scan found:
5355/tcp open llmnr
This appeared on both IPv4 and IPv6 for the ov.430.ch host.
Targeted UDP checks returned:
5355/udp open|filtered llmnr
The version probes against TCP 5355 ran longer than useful and were stopped. No additional service fingerprint was collected.
Interpretation:
- Port 5355 is normally Link-Local Multicast Name Resolution (LLMNR).
- LLMNR is not normally useful on the public Internet.
- If this is truly LLMNR, it should not be exposed externally.
- If it is another custom service on port 5355, it should be documented and access-controlled.
SSH
[edit]Both hosts expose SSH:
OpenSSH 10.0p2 Debian 7+deb13u4 (protocol 2.0)
Recommendation:
- Keep password authentication disabled if possible.
- Restrict SSH by source IP or VPN if feasible.
- Ensure root login is disabled.
- Monitor auth logs.
No authentication attempts were made.
Shodan InternetDB
[edit]https://internetdb.shodan.io/83.228.241.21:
{
"cpes": ["cpe:/a:golang:go", "cpe:/a:caddyserver:caddy"],
"hostnames": ["ov-7fb696.infomaniak.ch"],
"ip": "83.228.241.21",
"ports": [80, 443],
"tags": [],
"vulns": []
}
https://internetdb.shodan.io/83.228.241.25:
{
"cpes": [
"cpe:/o:canonical:ubuntu_linux",
"cpe:/a:golang:go",
"cpe:/a:caddyserver:caddy",
"cpe:/a:openbsd:openssh:9.6p1"
],
"hostnames": ["ov-9520b2.infomaniak.ch"],
"ip": "83.228.241.25",
"ports": [22, 80, 443],
"tags": [],
"vulns": []
}
Note:
- Shodan InternetDB did not list the extra
5355,6567, or IPv68080findings found by direct nmap scanning. - InternetDB can be stale or incomplete.
Recursive Mirror
[edit]Command used for the apex:
wget -r -l inf -np -E -k -p --restrict-file-names=windows -D 430.ch --no-verbose --directory-prefix=/root/recon-430ch/wget https://430.ch/
Result:
Downloaded: 19 files, 1.5M
Mirrored files:
/root/recon-430ch/wget/430.ch/contact-us/1.png /root/recon-430ch/wget/430.ch/contact-us/index.html /root/recon-430ch/wget/430.ch/index.html /root/recon-430ch/wget/430.ch/m/1.webp /root/recon-430ch/wget/430.ch/m/2.webp /root/recon-430ch/wget/430.ch/m/3.webp /root/recon-430ch/wget/430.ch/m/4.webp /root/recon-430ch/wget/430.ch/m/5.webp /root/recon-430ch/wget/430.ch/m/6.webp /root/recon-430ch/wget/430.ch/m/index.html /root/recon-430ch/wget/430.ch/m/index.html@sort=name&order=asc.html /root/recon-430ch/wget/430.ch/m/index.html@sort=name&order=desc.html /root/recon-430ch/wget/430.ch/m/index.html@sort=namedirfirst&order=asc.html /root/recon-430ch/wget/430.ch/m/index.html@sort=namedirfirst&order=desc.html /root/recon-430ch/wget/430.ch/m/index.html@sort=size&order=asc.html /root/recon-430ch/wget/430.ch/m/index.html@sort=size&order=desc.html /root/recon-430ch/wget/430.ch/m/index.html@sort=time&order=asc.html /root/recon-430ch/wget/430.ch/m/index.html@sort=time&order=desc.html /root/recon-430ch/wget/430.ch/robots.txt
Explicit checks for paths seen in search results:
https://430.ch/f/ -> 404 https://430.ch/yagpab/ -> 404
The Google cache endpoint did not return usable cached copies of those paths during testing.
Image and File Metadata
[edit]File type summary:
1.webp: WebP, 3060x4080 2.webp: WebP, 1932x2576 3.webp: WebP, 1932x2576 4.webp: WebP, 3060x4080 5.webp: WebP, 3060x4080 6.webp: WebP, 4080x3060 contact-us/1.png: PNG, 1600x300
ExifTool findings:
The six WebP files contained basic file/image structure only:
- File type: WEBP
- Dimensions
- No EXIF camera metadata observed.
- No GPS metadata observed.
The contact PNG retained metadata:
FileType: PNG ImageSize: 1600x300 Software: GIMP 2.10.36 HistorySoftwareAgent: Gimp 2.10 (Linux) ModifyDate: 2026:05:09 13:07:27 MetadataDate: 2026:05:09T13:07:27+03:00 CreatorTool: GIMP 2.10 ProfileDescription: GIMP built-in sRGB ProfileCopyright: Public Domain Platform: Linux
No GPS metadata was observed in the contact PNG.
SHA-256 hashes of mirrored image assets:
fec1e3af9cc3ffd579f3f67d37933241f36bed186e4ac32efac7f1fdeae3dca8 /root/recon-430ch/wget/430.ch/m/1.webp f86238f5266c54361c9ef9741b66153442d94b77e6f6550d567bba4e5b6d5668 /root/recon-430ch/wget/430.ch/m/2.webp 47f96eac0bb93acc04e4fb2303c64a61a3f1b15a9995b325ff7146a12333e67f /root/recon-430ch/wget/430.ch/m/3.webp 369846fc54104174c392f27f80dfe08bd626a18cca5dbf31ef72cb24364389e5 /root/recon-430ch/wget/430.ch/m/4.webp 084b3cb17df8c773e2317668715d14f3211f4fca24ba292f026194c8a01d6a12 /root/recon-430ch/wget/430.ch/m/5.webp e140aadd64a2e73707536524356d44691aaf6a0713de0f22a1c91543e25e947e /root/recon-430ch/wget/430.ch/m/6.webp 93d431b374d4882a569931def5ba5937aedc1686f49f281253ad9297eb8f209d /root/recon-430ch/wget/430.ch/contact-us/1.png
Web Archive and Public Indexing
[edit]Wayback CDX lookup:
https://web.archive.org/cdx?url=430.ch/*&output=json&fl=timestamp,original,statuscode,mimetype,digest&collapse=urlkey&filter=statuscode:200
Returned historical entries including:
20191223004332 http://430.ch/ 200 text/html 20160729094455 http://430.ch/robots.txt 200 text/plain 20231028224700 https://430.ch/.well-known/ai-plugin.json 200 text/html 20231028195934 https://430.ch/.well-known/dnt-policy.txt 200 text/html 20231028201009 https://430.ch/.well-known/gpc.json 200 text/html 20231029001948 https://430.ch/.well-known/nodeinfo 200 text/html 20231028193612 https://430.ch/.well-known/openid-configuration 200 text/html 20231028203348 https://430.ch/.well-known/security.txt 200 text/html 20231028223110 https://430.ch/.well-known/trust.txt 200 text/html 20231028194249 https://430.ch/ads.txt 200 text/html 20231028205649 https://430.ch/app-ads.txt 200 text/html 20231029024555 https://430.ch/info/ 200 text/html 20231028200842 https://430.ch/parking.php4 200 text/html 20231028231335 https://430.ch/search/ 200 text/html 20231028204408 https://430.ch/sitemap.xml 200 text/html
Interpretation:
- Many 2023 entries look like parked/placeholder behavior rather than current content.
- Current live checks for those paths returned
404.
URLScan:
- Querying
domain:430.chreturned results fornoctron.ch, not direct430.chscans. - Querying
page.domain:"430.ch"returned no results.
Security Observations and Recommendations
[edit]High Priority
[edit]Close or restrict 5355/tcp on ov.430.ch
[edit]Finding:
5355/tcpis open on83.228.241.25and2001:1600:18:102::26f.- Nmap labels it
llmnr.
Why it matters:
- LLMNR is generally local-network-only functionality and should not be Internet-facing.
- If this is not LLMNR, an undocumented public service is still exposed.
Recommended action:
- Identify the listening process.
- If unintended, stop it and firewall
5355/tcpand likely5355/udp. - If intended, restrict source IPs and document it.
Example local triage commands on the server:
ss -ltnup | grep ':5355' systemctl status systemd-resolved
Restrict IPv6 8080/tcp on ov.430.ch
[edit]Finding:
8080/tcpis open on IPv6 but filtered on IPv4.- It exposes Apache/PHP/MediaWiki directly.
Why it matters:
- If Caddy is intended as the public reverse proxy, direct backend access can bypass proxy-layer controls, logging assumptions, rate limits, or header normalization.
- IPv6 firewall parity often gets missed.
Recommended action:
- Bind Apache backend only to loopback if it is only used by Caddy.
- Otherwise firewall
8080/tcpconsistently on IPv4 and IPv6.
Example local triage:
ss -ltnp | grep ':8080'
Confirm 6567/tcp and 6567/udp
[edit]Finding:
6567/tcpis open onov.430.ch.6567/udpisopen|filtered.- Port 6567 is commonly used by Mindustry.
Recommended action:
- Confirm whether this is intentional.
- If it is a game server, consider whether it should be public and whether it needs rate limits or firewall restrictions.
- If unused, close it.
Medium Priority
[edit]Add HSTS
[edit]Finding:
- HTTPS works well, but HSTS is not configured.
Recommended Caddy-style header:
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Use a shorter max-age first if you want a low-risk rollout:
Strict-Transport-Security "max-age=86400"
Tighten apex CORS
[edit]Finding:
430.chreflects arbitrary origins and allows credentials.
Recommended action:
- If static files do not need credentialed cross-origin access, remove credentialed CORS headers.
- If cross-origin reads are required, allowlist specific origins and avoid
Access-Control-Allow-Credentials: trueunless needed.
Review MediaWiki public exposure on ov.430.ch
[edit]Finding:
- Public API exposes version, PHP version, DB version, extension version, skins, users, groups, rights changes, and logs.
- UI appears to advertise account creation and probable editability.
Recommended action:
- Decide whether
ov.430.chis intentionally public. - If public, keep MediaWiki and extensions patched.
- If private, restrict anonymous read, API, account creation, and editing.
- Consider hiding detailed version headers where practical, recognizing that version hiding is defense-in-depth and not a substitute for patching.
Potential MediaWiki settings to review:
$wgGroupPermissions['*']['read'] $wgGroupPermissions['*']['edit'] $wgGroupPermissions['*']['createaccount'] $wgGroupPermissions['*']['writeapi'] $wgShowExceptionDetails
Add CAA records
[edit]Finding:
- No apex CAA record observed.
Recommended action:
If only Let's Encrypt and ZeroSSL should issue:
430.ch. CAA 0 issue "letsencrypt.org" 430.ch. CAA 0 issue "sectigo.com" 430.ch. CAA 0 issuewild ";"
Tune this based on actual CA usage. ZeroSSL chains to Sectigo in the observed certificate.
Add MTA-STS and TLS-RPT
[edit]Finding:
- No MTA-STS or TLS-RPT records observed.
Recommended action:
Publish:
_mta-sts.430.ch TXT "v=STSv1; id=YYYYMMDD01" _smtp._tls.430.ch TXT "v=TLSRPTv1; rua=mailto:tlsrpt@430.ch"
Serve an HTTPS policy at:
https://mta-sts.430.ch/.well-known/mta-sts.txt
Example policy:
version: STSv1 mode: testing mx: aspmx1.migadu.com mx: aspmx2.migadu.com max_age: 86400
Move from testing to enforce after confirming reports are clean.
Low Priority / Hygiene
[edit]Fix missing style.css
[edit]Finding:
- Several pages reference
https://430.ch/style.css, but it returns404.
Recommended action:
- Add the stylesheet or remove the references.
Add security.txt
[edit]Finding:
/.well-known/security.txtreturns404.
Recommended action:
Add a minimal file if you want a clear channel for reports:
Contact: mailto:meighl@430.ch Preferred-Languages: en Canonical: https://430.ch/.well-known/security.txt
Consider whether /m/ should be a directory listing
[edit]Finding:
/m/exposes a Caddy directory listing.
Recommended action:
- If intentional, no change needed.
- If not, disable browse/listing and link only specific images.
Remove unnecessary metadata from contact PNG
[edit]Finding:
- Contact PNG retains GIMP/XMP metadata.
Risk:
- Low. No GPS or sensitive camera metadata was found.
Recommended action:
- Strip metadata from public images as a standard publishing step.
Example:
exiftool -all= image.png
Artifact Inventory
[edit]Top-level files in /root/recon-430ch:
nmap-http-scripts.txt 3378 bytes nmap-ipv4-full.txt 796 bytes nmap-ipv4-top.txt 1653 bytes nmap-ipv6-full.txt 774 bytes nmap-ipv6-top.txt 1670 bytes nmap-ov-5355-ipv6.txt 0 bytes nmap-ov-5355.txt 0 bytes nmap-ov-ipv6-specific.txt 1040 bytes nmap-ov-specific.txt 2900 bytes nmap-ssl-enum.txt 3547 bytes nmap-udp-5355-ipv6.txt 709 bytes nmap-udp-5355.txt 669 bytes nmap-udp-game-ipv6.txt 873 bytes nmap-udp-game.txt 833 bytes robots.txt 23 bytes root-http.html 0 bytes root-https.html 1201 bytes security.txt 0 bytes sitemap.xml 0 bytes wget/ mirrored site
Directory size:
/root/recon-430ch: 1.6M
Commands Used
[edit]Representative command list:
apt-get update apt-get install -y dnsutils whois nmap traceroute jq netcat-openbsd ca-certificates apt-get install -y libimage-exiftool-perl dig 430.ch ANY dig 430.ch A 430.ch AAAA 430.ch NS 430.ch SOA 430.ch MX 430.ch TXT 430.ch CAA +noall +answer dig +short -x 83.228.241.21 whois 430.ch whois 83.228.241.21 dig AXFR 430.ch @ns11.infomaniak.ch dig AXFR 430.ch @ns12.infomaniak.ch dig 430.ch DNSKEY 430.ch DS +noall +answer curl -sS -D - -o /root/recon-430ch/root-http.html http://430.ch/ curl -sS -D - -o /root/recon-430ch/root-https.html https://430.ch/ curl -sS -D - -o /root/recon-430ch/robots.txt https://430.ch/robots.txt curl -sS -D - -o /root/recon-430ch/sitemap.xml https://430.ch/sitemap.xml curl -sS -D - -o /root/recon-430ch/security.txt https://430.ch/.well-known/security.txt openssl s_client -connect 430.ch:443 -servername 430.ch -showcerts </dev/null wget -r -l inf -np -E -k -p --restrict-file-names=windows -D 430.ch --no-verbose --directory-prefix=/root/recon-430ch/wget https://430.ch/ wget -r -l inf -np -E -k -p --restrict-file-names=windows -D 430.ch --no-verbose --directory-prefix=/root/recon-430ch/wget https://430.ch/f/ wget -r -l inf -np -E -k -p --restrict-file-names=windows -D 430.ch --no-verbose --directory-prefix=/root/recon-430ch/wget https://430.ch/yagpab/ curl -sS 'https://crt.sh/?q=%25.430.ch&output=json' curl -sS 'https://rdap.nic.ch/domain/430.ch' curl -sS 'https://urlscan.io/api/v1/search/?q=domain:430.ch' curl -sS -L 'https://web.archive.org/cdx?url=430.ch/*&output=json&fl=timestamp,original,statuscode,mimetype,digest&collapse=urlkey&filter=statuscode:200' nmap -Pn -sS -sV --version-light -T3 --top-ports 1000 83.228.241.21 83.228.241.25 -oN /root/recon-430ch/nmap-ipv4-top.txt nmap -Pn -6 -sT -sV --version-light -T3 --top-ports 1000 2001:1600:18:102::167 2001:1600:18:102::26f -oN /root/recon-430ch/nmap-ipv6-top.txt nmap -Pn -sS -T3 -p- --max-retries 2 83.228.241.21 83.228.241.25 -oN /root/recon-430ch/nmap-ipv4-full.txt nmap -Pn -6 -sT -T3 -p- --max-retries 2 2001:1600:18:102::167 2001:1600:18:102::26f -oN /root/recon-430ch/nmap-ipv6-full.txt nmap -Pn -p443 --script ssl-enum-ciphers 430.ch ov.430.ch wiki.430.ch staging.430.ch -oN /root/recon-430ch/nmap-ssl-enum.txt nmap -Pn -p80,443 --script http-title,http-server-header,http-security-headers 430.ch ov.430.ch wiki.430.ch staging.430.ch -oN /root/recon-430ch/nmap-http-scripts.txt nmap -Pn -sU -sV --version-light -p6567,27015,27016 83.228.241.25 83.228.241.21 -oN /root/recon-430ch/nmap-udp-game.txt nmap -Pn -6 -sU -sV --version-light -p6567,27015,27016 2001:1600:18:102::26f 2001:1600:18:102::167 -oN /root/recon-430ch/nmap-udp-game-ipv6.txt nmap -Pn -sU -sV --version-light -p5355 83.228.241.25 83.228.241.21 -oN /root/recon-430ch/nmap-udp-5355.txt nmap -Pn -6 -sU -sV --version-light -p5355 2001:1600:18:102::26f 2001:1600:18:102::167 -oN /root/recon-430ch/nmap-udp-5355-ipv6.txt curl -sS 'https://ov.430.ch/api.php?action=query&meta=siteinfo&siprop=general%7Cnamespaces%7Cstatistics%7Cextensions%7Cskins&format=json' curl -sS 'https://ov.430.ch/api.php?action=query&list=allusers&auprop=groups%7Ceditcount%7Cregistration&format=json' curl -sS 'https://ov.430.ch/api.php?action=query&list=recentchanges&rcprop=title%7Cids%7Ctimestamp%7Cuser%7Ccomment%7Cflags&rclimit=20&format=json' curl -sS 'https://ov.430.ch/api.php?action=query&list=logevents&leprop=title%7Ctimestamp%7Cuser%7Ccomment%7Ctype%7Cdetails&lelimit=20&format=json' curl -sS 'https://wiki.430.ch/api.php?action=query&meta=siteinfo&siprop=general%7Cnamespaces%7Cstatistics%7Cextensions%7Cskins&format=json' exiftool -a -G1 -s /root/recon-430ch/wget/430.ch/m/*.webp /root/recon-430ch/wget/430.ch/contact-us/1.png sha256sum /root/recon-430ch/wget/430.ch/m/*.webp /root/recon-430ch/wget/430.ch/contact-us/1.png
Appendix: Raw Nmap Full TCP Output
[edit]IPv4
[edit]# Nmap 7.95 scan initiated Thu Jul 9 17:42:08 2026 as: nmap -Pn -sS -T3 -p- --max-retries 2 -oN /root/recon-430ch/nmap-ipv4-full.txt 83.228.241.21 83.228.241.25 Nmap scan report for 430.ch (83.228.241.21) Host is up (0.064s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https MAC Address: FA:16:3E:46:4B:58 (Unknown) Nmap scan report for ov.430.ch (83.228.241.25) Host is up (0.0000090s latency). Not shown: 65529 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 5355/tcp open llmnr 6567/tcp open esp 8080/tcp filtered http-proxy # Nmap done at Thu Jul 9 17:49:20 2026 -- 2 IP addresses (2 hosts up) scanned in 431.22 seconds
IPv6
[edit]# Nmap 7.95 scan initiated Thu Jul 9 17:42:08 2026 as: nmap -Pn -6 -sT -T3 -p- --max-retries 2 -oN /root/recon-430ch/nmap-ipv6-full.txt 2001:1600:18:102::167 2001:1600:18:102::26f Nmap scan report for 430.ch (2001:1600:18:102::167) Host is up (0.019s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Nmap scan report for ov.430.ch (2001:1600:18:102::26f) Host is up (0.00014s latency). Not shown: 65529 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 5355/tcp open llmnr 6567/tcp open esp 8080/tcp open http-proxy # Nmap done at Thu Jul 9 17:49:57 2026 -- 2 IP addresses (2 hosts up) scanned in 468.20 seconds