Clients/Buellton/network/Buellton_Operations_Pentest_Report.html

<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Penetration Test Report — buelltonops.com</title> <style> @page { margin: 1in; size: letter; } * { box-sizing: border-box; margin: 0; padding: 0; } body { font-family: 'Segoe UI', 'Helvetica Neue', Arial, sans-serif; color: #1a1a2e; line-height: 1.6; background: #f4f6f9; } .page { max-width: 900px; margin: 0 auto; background: #fff; } /* Cover Page */ .cover { background: linear-gradient(135deg, #0f0c29, #302b63, #24243e); color: #fff; padding: 80px 60px; min-height: 100vh; display: flex; flex-direction: column; justify-content: center; } .cover .logo { font-size: 14px; text-transform: uppercase; letter-spacing: 4px; color: #7f8ff4; margin-bottom: 60px; font-weight: 600; } .cover h1 { font-size: 42px; font-weight: 700; margin-bottom: 10px; } .cover h2 { font-size: 22px; font-weight: 300; color: #b8c1ec; margin-bottom: 50px; } .cover .meta { font-size: 14px; color: #8892b0; line-height: 2; } .cover .meta strong { color: #ccd6f6; } .cover .classification { margin-top: 60px; padding: 12px 24px; border: 2px solid #e63946; display: inline-block; color: #e63946; font-weight: 700; font-size: 13px; letter-spacing: 2px; text-transform: uppercase; } /* Content */ .content { padding: 50px 60px; } h2 { font-size: 24px; color: #0f0c29; border-bottom: 3px solid #7f8ff4; padding-bottom: 8px; margin: 40px 0 20px 0; } h3 { font-size: 18px; color: #302b63; margin: 30px 0 12px 0; } h4 { font-size: 15px; color: #444; margin: 20px 0 8px 0; } p, li { font-size: 14px; margin-bottom: 8px; } ul { padding-left: 24px; } /* Executive Summary Box */ .exec-summary { background: #f8f9ff; border-left: 4px solid #7f8ff4; padding: 20px 24px; margin: 20px 0; border-radius: 0 8px 8px 0; } /* Severity Badges */ .severity { display: inline-block; padding: 3px 12px; border-radius: 4px; font-size: 12px; font-weight: 700; text-transform: uppercase; letter-spacing: 1px; color: #fff; margin-right: 8px; vertical-align: middle; } .severity.critical { background: #d32f2f; } .severity.high { background: #e65100; } .severity.medium { background: #f9a825; color: #333; } .severity.low { background: #2196f3; } .severity.info { background: #78909c; } /* Finding Cards */ .finding { border: 1px solid #e0e0e0; border-radius: 8px; margin: 20px 0; overflow: hidden; } .finding-header { padding: 14px 20px; background: #fafafa; border-bottom: 1px solid #e0e0e0; } .finding-header h4 { margin: 0; font-size: 16px; color: #1a1a2e; } .finding-body { padding: 16px 20px; } .finding-body p { margin-bottom: 10px; } .finding-body .label { font-weight: 600; color: #555; font-size: 13px; text-transform: uppercase; letter-spacing: 0.5px; } /* Tables */ table { width: 100%; border-collapse: collapse; margin: 16px 0; font-size: 13px; } th { background: #302b63; color: #fff; text-align: left; padding: 10px 14px; font-weight: 600; } td { padding: 10px 14px; border-bottom: 1px solid #e8e8e8; } tr:nth-child(even) { background: #f9f9fc; } /* Code blocks */ pre { background: #1e1e2e; color: #cdd6f4; padding: 16px; border-radius: 6px; overflow-x: auto; font-size: 12px; line-height: 1.5; margin: 12px 0; } code { font-family: 'JetBrains Mono', 'Fira Code', 'Consolas', monospace; } /* Score gauge */ .score-container { text-align: center; margin: 30px 0; } .score-gauge { display: inline-block; width: 140px; height: 140px; border-radius: 50%; border: 10px solid #e0e0e0; position: relative; } .score-gauge .fill { position: absolute; top: -10px; left: -10px; width: 140px; height: 140px; border-radius: 50%; border: 10px solid transparent; border-top-color: #f9a825; border-right-color: #f9a825; transform: rotate(45deg); } .score-gauge .label { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); font-size: 36px; font-weight: 700; color: #f9a825; } .score-gauge .sublabel { position: absolute; top: 68%; left: 50%; transform: translate(-50%, 0); font-size: 11px; color: #888; text-transform: uppercase; letter-spacing: 1px; } /* Risk Matrix */ .risk-matrix { display: grid; grid-template-columns: repeat(4, 1fr); gap: 2px; margin: 20px 0; max-width: 500px; } .risk-cell { padding: 12px; text-align: center; font-size: 12px; font-weight: 600; color: #fff; } /* Summary bar */ .summary-bar { display: flex; gap: 16px; margin: 20px 0; flex-wrap: wrap; } .summary-item { flex: 1; min-width: 120px; padding: 16px; border-radius: 8px; text-align: center; } .summary-item .count { font-size: 32px; font-weight: 700; } .summary-item .desc { font-size: 11px; text-transform: uppercase; letter-spacing: 1px; margin-top: 4px; } .summary-item.crit-bg { background: #fde8e8; color: #d32f2f; } .summary-item.high-bg { background: #fff3e0; color: #e65100; } .summary-item.med-bg { background: #fffde7; color: #f57f17; } .summary-item.low-bg { background: #e3f2fd; color: #1565c0; } .summary-item.info-bg { background: #eceff1; color: #546e7a; } /* Footer */ .footer { text-align: center; padding: 30px; color: #999; font-size: 12px; border-top: 1px solid #eee; } @media print { .page { box-shadow: none; } .cover { page-break-after: always; } h2 { page-break-after: avoid; } .finding { page-break-inside: avoid; } } </style> </head> <body> <div class="page"> <!-- ============ COVER PAGE ============ --> <div class="cover"> <div class="logo">Autosys, LLC &mdash; Security Assessment Division</div> <h1>External Penetration Test Report</h1> <h2>buelltonops.com &mdash; Buellton Community Services District</h2> <div class="meta"> <strong>Report Date:</strong> March 18, 2026<br> <strong>Assessment Period:</strong> March 15&ndash;18, 2026<br> <strong>Assessor:</strong> Mason &mdash; Autosys, LLC<br> <strong>Classification:</strong> Client Confidential<br> <strong>Report Version:</strong> 1.0<br> <strong>Target:</strong> buelltonops.com (96.82.98.110) </div> <div class="classification">Confidential &mdash; Client Use Only</div> </div> <!-- ============ TABLE OF CONTENTS ============ --> <div class="content"> <h2>Table of Contents</h2> <ol style="font-size: 14px; line-height: 2.2;"> <li>Executive Summary</li> <li>Scope &amp; Methodology</li> <li>Target Reconnaissance</li> <li>Findings Summary</li> <li>Detailed Findings <ol type="a" style="margin-top: 4px;"> <li>Network &amp; Firewall</li> <li>Email Security</li> <li>Web Application</li> <li>SSL/TLS &amp; Certificates</li> <li>Exposed Services</li> <li>DNS Configuration</li> </ol> </li> <li>Positive Observations</li> <li>Remediation Roadmap</li> <li>Appendix: Raw Scan Data</li> </ol> <!-- ============ 1. EXECUTIVE SUMMARY ============ --> <h2>1. Executive Summary</h2> <div class="exec-summary"> <p>Autosys, LLC conducted an external penetration test against <strong>buelltonops.com</strong> (IP: 96.82.98.110) between March 15&ndash;18, 2026. The assessment was performed from an external attacker's perspective with no prior credentials or internal access (black-box methodology).</p> <p>The assessment identified <strong>13 findings</strong> across all severity levels. The most significant risks involve a <strong>stateless firewall configuration</strong> that leaks internal service information, <strong>complete absence of email authentication</strong> (no DMARC or DKIM), making the domain highly susceptible to email spoofing and phishing attacks, and a <strong>non-functional website</strong> that exposes hosting infrastructure details.</p> <p>The primary server at 96.82.98.110 (Comcast business IP) employs aggressive firewall rules that block most direct connections. However, advanced scanning techniques revealed services including SSH, HTTP, HTTPS, and MySQL are running behind the firewall, and the firewall's stateless nature allows reconnaissance mapping.</p> <p>The domain's web hosting (HostGator shared hosting at 66.96.162.134) has a wildcard DNS configuration, an SSL certificate belonging to a different domain (*.bizland.com), and no HTTP security headers. The website itself appears abandoned, serving only an HTML redirect to an empty URL on HTTP and an "Access Denied" block page on HTTPS.</p> <p><strong>Overall Risk Rating: MEDIUM-HIGH</strong> &mdash; While the perimeter is heavily firewalled, the email spoofing exposure represents an immediate, exploitable risk, and the hosting misconfiguration suggests the infrastructure may be unmanaged.</p> </div> <div class="summary-bar"> <div class="summary-item crit-bg"><div class="count">1</div><div class="desc">Critical</div></div> <div class="summary-item high-bg"><div class="count">3</div><div class="desc">High</div></div> <div class="summary-item med-bg"><div class="count">5</div><div class="desc">Medium</div></div> <div class="summary-item low-bg"><div class="count">4</div><div class="desc">Low</div></div> <div class="summary-item info-bg"><div class="count">3</div><div class="desc">Informational</div></div> </div> <!-- ============ 2. SCOPE & METHODOLOGY ============ --> <h2>2. Scope &amp; Methodology</h2> <h3>2.1 Scope</h3> <table> <tr><th>Parameter</th><th>Detail</th></tr> <tr><td>Primary Target</td><td>buelltonops.com (A: 96.82.98.110)</td></tr> <tr><td>Hosting Server</td><td>66.96.162.134 (HostGator shared hosting)</td></tr> <tr><td>Mail Servers</td><td>mx.buelltonops.com (66.96.140.124, 66.96.140.125)</td></tr> <tr><td>Test Type</td><td>External, black-box, non-destructive</td></tr> <tr><td>Authorization</td><td>Authorized by client representative</td></tr> </table> <h3>2.2 Methodology</h3> <p>The assessment followed a structured methodology aligned with OWASP Testing Guide v4 and PTES (Penetration Testing Execution Standard):</p> <ol> <li><strong>Reconnaissance:</strong> WHOIS, DNS enumeration, certificate transparency, OSINT</li> <li><strong>Scanning:</strong> Full TCP/UDP port scans, service fingerprinting, OS detection</li> <li><strong>Firewall Analysis:</strong> SYN, ACK, NULL, FIN, Xmas, Window, and fragmentation scans</li> <li><strong>Web Application Testing:</strong> Technology fingerprinting, directory brute-forcing, header analysis, vulnerability scanning (Nuclei, Nikto)</li> <li><strong>SSL/TLS Assessment:</strong> Cipher enumeration, certificate validation, vulnerability checks (Heartbleed, POODLE, CCS injection)</li> <li><strong>Email Security:</strong> SPF, DKIM, DMARC validation</li> <li><strong>Service Enumeration:</strong> FTP, SMTP, IMAP, POP3 capability checks and vulnerability testing</li> </ol> <h3>2.3 Tools Used</h3> <table> <tr><th>Category</th><th>Tools</th></tr> <tr><td>Network Scanning</td><td>Nmap 7.98, traceroute</td></tr> <tr><td>DNS</td><td>dig, dnsrecon, nslookup</td></tr> <tr><td>Web</td><td>whatweb, ffuf, nikto, nuclei v3.3.9, curl</td></tr> <tr><td>SSL/TLS</td><td>OpenSSL, Nmap SSL scripts</td></tr> <tr><td>WAF Detection</td><td>wafw00f v2.3.2</td></tr> <tr><td>OSINT</td><td>whois, crt.sh, Wayback Machine</td></tr> <tr><td>Platform</td><td>Kali Linux 2025-2 (arm64)</td></tr> </table> <!-- ============ 3. TARGET RECONNAISSANCE ============ --> <h2>3. Target Reconnaissance</h2> <h3>3.1 Domain Registration</h3> <table> <tr><th>Field</th><th>Value</th></tr> <tr><td>Registrar</td><td>Tucows Domains Inc.</td></tr> <tr><td>Created</td><td>June 13, 2014</td></tr> <tr><td>Expires</td><td>June 13, 2026 (less than 3 months)</td></tr> <tr><td>Status</td><td>clientTransferProhibited, clientUpdateProhibited</td></tr> <tr><td>DNSSEC</td><td>Unsigned</td></tr> </table> <h3>3.2 DNS Records</h3> <table> <tr><th>Type</th><th>Record</th><th>Value</th></tr> <tr><td>A</td><td>buelltonops.com</td><td>96.82.98.110</td></tr> <tr><td>NS</td><td>buelltonops.com</td><td>ns1.domain.com, ns2.domain.com</td></tr> <tr><td>MX</td><td>buelltonops.com</td><td>mx.buelltonops.com (66.96.140.124, 66.96.140.125)</td></tr> <tr><td>TXT (SPF)</td><td>buelltonops.com</td><td>v=spf1 ip4:66.96.128.0/18 include:websitewelcome.com ?all</td></tr> <tr><td>SOA</td><td>buelltonops.com</td><td>ns1.domain.com (172.64.52.73)</td></tr> <tr><td>Wildcard</td><td>*.buelltonops.com</td><td>66.96.162.134 (catch-all to hosting)</td></tr> </table> <h3>3.3 Network Ownership</h3> <table> <tr><th>IP</th><th>Owner</th><th>Network</th></tr> <tr><td>96.82.98.110</td><td>Comcast Cable Communications, LLC</td><td>96.64.0.0/11 (CABLE-1)</td></tr> <tr><td>66.96.162.134</td><td>Newfold Digital (HostGator)</td><td>eigbox.net shared hosting</td></tr> <tr><td>66.96.140.124/125</td><td>Newfold Digital (HostGator)</td><td>eigbox.net mail cluster</td></tr> </table> <!-- ============ 4. FINDINGS SUMMARY ============ --> <h2>4. Findings Summary</h2> <table> <tr><th>#</th><th>Severity</th><th>Finding</th><th>Category</th></tr> <tr><td>F-01</td><td><span class="severity critical">CRITICAL</span></td><td>No DMARC Record &mdash; Domain Spoofing Possible</td><td>Email</td></tr> <tr><td>F-02</td><td><span class="severity high">HIGH</span></td><td>Stateless Firewall Leaks Service Information</td><td>Network</td></tr> <tr><td>F-03</td><td><span class="severity high">HIGH</span></td><td>No DKIM Records Configured</td><td>Email</td></tr> <tr><td>F-04</td><td><span class="severity high">HIGH</span></td><td>MySQL Service Detected Behind Firewall</td><td>Network</td></tr> <tr><td>F-05</td><td><span class="severity medium">MEDIUM</span></td><td>Weak SPF Policy (?all Qualifier)</td><td>Email</td></tr> <tr><td>F-06</td><td><span class="severity medium">MEDIUM</span></td><td>SSL Certificate Mismatch (*.bizland.com)</td><td>SSL/TLS</td></tr> <tr><td>F-07</td><td><span class="severity medium">MEDIUM</span></td><td>All HTTP Security Headers Missing</td><td>Web</td></tr> <tr><td>F-08</td><td><span class="severity medium">MEDIUM</span></td><td>FTP Service Publicly Exposed (ProFTPD)</td><td>Services</td></tr> <tr><td>F-09</td><td><span class="severity medium">MEDIUM</span></td><td>Mail Services Support Cleartext Authentication</td><td>Services</td></tr> <tr><td>F-10</td><td><span class="severity low">LOW</span></td><td>Wildcard DNS Record (Subdomain Abuse)</td><td>DNS</td></tr> <tr><td>F-11</td><td><span class="severity low">LOW</span></td><td>FTP Banner Information Disclosure</td><td>Services</td></tr> <tr><td>F-12</td><td><span class="severity low">LOW</span></td><td>DNSSEC Not Configured</td><td>DNS</td></tr> <tr><td>F-13</td><td><span class="severity low">LOW</span></td><td>No Reverse DNS (PTR) Record</td><td>DNS</td></tr> <tr><td>I-01</td><td><span class="severity info">INFO</span></td><td>Website Non-Functional / Abandoned</td><td>Web</td></tr> <tr><td>I-02</td><td><span class="severity info">INFO</span></td><td>Domain Expiring Within 3 Months</td><td>Admin</td></tr> <tr><td>I-03</td><td><span class="severity info">INFO</span></td><td>Hosting on Comcast Business IP (No PTR)</td><td>Network</td></tr> </table> <!-- ============ 5. DETAILED FINDINGS ============ --> <h2>5. Detailed Findings</h2> <!-- ===== 5a. Network & Firewall ===== --> <h3>5a. Network &amp; Firewall</h3> <div class="finding"> <div class="finding-header"> <h4><span class="severity high">HIGH</span> F-02: Stateless Firewall Leaks Service Information</h4> </div> <div class="finding-body"> <p class="label">Description</p> <p>The firewall protecting the primary server at 96.82.98.110 is configured as a <strong>stateless packet filter</strong>. While it correctly blocks unsolicited SYN (connection initiation) packets, it does not track connection state. This allows ACK-based scanning to pass through the firewall, enabling an attacker to map which services are running behind it.</p> <p class="label">Evidence</p> <pre><code># SYN scan — all ports appear filtered (firewall blocks) $ nmap -Pn -sS -p 22,80,443,3306 96.82.98.110 22/tcp filtered ssh 80/tcp filtered http 443/tcp filtered https 3306/tcp filtered mysql # ACK scan — all ports show "unfiltered" (packets pass through) $ nmap -Pn -sA -p 22,80,443,3306 96.82.98.110 22/tcp unfiltered ssh 80/tcp unfiltered http 443/tcp unfiltered https 3306/tcp unfiltered mysql # Window scan — confirms services are OPEN behind firewall $ nmap -Pn -sW -p 22,80,443,3306 96.82.98.110 22/tcp open ssh 80/tcp open http 443/tcp open https 3306/tcp open mysql # NULL/FIN/Xmas scans — RST responses confirm OS reachability $ nmap -Pn -sN/-sF/-sX -p 22,80,443 96.82.98.110 22/tcp closed ssh 80/tcp closed http 443/tcp closed https</code></pre> <p class="label">Impact</p> <p>An attacker can determine exactly which services are running behind the firewall without ever establishing a connection. This intelligence significantly reduces the effort needed for targeted attacks. The exposure of MySQL (port 3306) is particularly concerning — if the firewall rules are ever relaxed or bypassed, direct database access would be possible.</p> <p class="label">Recommendation</p> <ul> <li>Replace the current stateless packet filter with a <strong>stateful firewall</strong> (e.g., iptables with <code>-m conntrack --ctstate ESTABLISHED,RELATED</code> or a next-gen firewall appliance)</li> <li>Configure the firewall to drop ALL unsolicited packets, not just SYN packets</li> <li>Ensure MySQL (3306) is bound to localhost only if remote access is not required</li> <li>Implement default-deny egress filtering</li> </ul> <p class="label">CVSS v3.1 Score</p> <p>5.3 (Medium) — AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</p> </div> </div> <div class="finding"> <div class="finding-header"> <h4><span class="severity high">HIGH</span> F-04: MySQL Service Detected Behind Firewall</h4> </div> <div class="finding-body"> <p class="label">Description</p> <p>TCP Window scanning confirmed that a MySQL database service (port 3306) is running on the primary server. While currently shielded by the firewall, the presence of a database service directly on a public-facing IP represents a significant risk if firewall rules are modified, misconfigured, or bypassed.</p> <p class="label">Evidence</p> <pre><code>$ nmap -Pn -sW -p 3306 96.82.98.110 3306/tcp open mysql</code></pre> <p class="label">Impact</p> <p>If the firewall is ever bypassed, an attacker could attempt brute-force authentication or exploit MySQL vulnerabilities for direct database access. Database services should never be bound to public interfaces.</p> <p class="label">Recommendation</p> <ul> <li>Bind MySQL to <code>127.0.0.1</code> or <code>localhost</code> only in the MySQL configuration</li> <li>If remote database access is needed, use SSH tunneling or a VPN</li> <li>Ensure strong MySQL credentials and disable remote root login</li> </ul> <p class="label">CVSS v3.1 Score</p> <p>7.5 (High) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (if firewall bypassed)</p> </div> </div> <!-- ===== 5b. Email Security ===== --> <h3>5b. Email Security</h3> <div class="finding"> <div class="finding-header"> <h4><span class="severity critical">CRITICAL</span> F-01: No DMARC Record &mdash; Domain Spoofing Possible</h4> </div> <div class="finding-body"> <p class="label">Description</p> <p>The domain <strong>buelltonops.com</strong> has <strong>no DMARC (Domain-based Message Authentication, Reporting &amp; Conformance) record</strong>. DMARC is the industry-standard mechanism that tells receiving mail servers what to do with emails that fail SPF/DKIM checks. Without DMARC, an attacker can send emails that appear to come from any @buelltonops.com address, and most mail servers will deliver them.</p> <p class="label">Evidence</p> <pre><code>$ dig _dmarc.buelltonops.com TXT +short (empty — no record)</code></pre> <p class="label">Impact</p> <p><strong>This is the highest-risk finding in this assessment.</strong> An attacker can craft convincing phishing emails appearing to originate from @buelltonops.com addresses (e.g., operations@buelltonops.com, admin@buelltonops.com). For a government services district, this could be used to:</p> <ul> <li>Phish residents with fake notices (water bills, service alerts, meeting notices)</li> <li>Conduct business email compromise (BEC) against staff or vendors</li> <li>Damage the organization's reputation</li> <li>Distribute malware under trusted branding</li> </ul> <p class="label">Recommendation</p> <ul> <li><strong>Immediate:</strong> Add a DMARC DNS record starting with monitoring mode: <pre><code>_dmarc.buelltonops.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@buelltonops.com; ruf=mailto:dmarc-reports@buelltonops.com; pct=100"</code></pre> </li> <li><strong>30 days:</strong> After reviewing reports, escalate to <code>p=quarantine</code></li> <li><strong>60 days:</strong> Move to <code>p=reject</code> to fully block spoofed emails</li> </ul> <p class="label">CVSS v3.1 Score</p> <p>9.1 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N</p> </div> </div> <div class="finding"> <div class="finding-header"> <h4><span class="severity high">HIGH</span> F-03: No DKIM Records Configured</h4> </div> <div class="finding-body"> <p class="label">Description</p> <p>No DKIM (DomainKeys Identified Mail) records were found for the domain. DKIM cryptographically signs outgoing emails, allowing recipients to verify the email was genuinely sent by the domain's mail server and was not tampered with in transit.</p> <p class="label">Evidence</p> <pre><code>$ dig default._domainkey.buelltonops.com TXT +short → (empty) $ dig selector1._domainkey.buelltonops.com TXT +short → (empty) $ dig selector2._domainkey.buelltonops.com TXT +short → (empty) $ dig google._domainkey.buelltonops.com TXT +short → (empty)</code></pre> <p class="label">Impact</p> <p>Without DKIM, legitimate emails from @buelltonops.com cannot be cryptographically verified. This compounds the DMARC absence — even if DMARC were later deployed, it would have no DKIM alignment to check. Receiving mail servers have no way to distinguish legitimate emails from spoofed ones.</p> <p class="label">Recommendation</p> <ul> <li>Generate a DKIM key pair on the mail server (or through the hosting provider's control panel)</li> <li>Publish the public key as a DNS TXT record under <code>default._domainkey.buelltonops.com</code></li> <li>Configure the mail server to sign all outgoing email with the private key</li> </ul> <p class="label">CVSS v3.1 Score</p> <p>7.4 (High) — AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</p> </div> </div> <div class="finding"> <div class="finding-header"> <h4><span class="severity medium">MEDIUM</span> F-05: Weak SPF Policy (?all Qualifier)</h4> </div> <div class="finding-body"> <p class="label">Description</p> <p>The domain's SPF record uses the <code>?all</code> (neutral) qualifier instead of the recommended <code>-all</code> (hard fail). This means receiving mail servers are instructed to treat emails from unauthorized senders as "neutral" rather than rejecting them.</p> <p class="label">Evidence</p> <pre><code>$ dig buelltonops.com TXT +short "v=spf1 ip4:66.96.128.0/18 include:websitewelcome.com ?all" ^^^^ Should be: -all</code></pre> <p class="label">Impact</p> <p>The neutral qualifier provides essentially no protection. Spoofed emails from unauthorized IPs will not be flagged or rejected based on SPF alone.</p> <p class="label">Recommendation</p> <ul> <li>Change the SPF record qualifier from <code>?all</code> to <code>~all</code> (soft fail) initially, then to <code>-all</code> (hard fail) after verifying all legitimate mail sources are listed</li> <li>Verify that the included <code>websitewelcome.com</code> SPF record is still valid and necessary</li> </ul> </div> </div> <!-- ===== 5c. Web Application ===== --> <h3>5c. Web Application</h3> <div class="finding"> <div class="finding-header"> <h4><span class="severity medium">MEDIUM</span> F-07: All HTTP Security Headers Missing</h4> </div> <div class="finding-body"> <p class="label">Description</p> <p>The web server returns no security-related HTTP headers. All seven critical security headers are absent.</p> <p class="label">Evidence</p> <table> <tr><th>Header</th><th>Status</th><th>Purpose</th></tr> <tr><td>X-Frame-Options</td><td style="color:#d32f2f; font-weight:600;">MISSING</td><td>Prevents clickjacking attacks</td></tr> <tr><td>X-Content-Type-Options</td><td style="color:#d32f2f; font-weight:600;">MISSING</td><td>Prevents MIME-type sniffing</td></tr> <tr><td>X-XSS-Protection</td><td style="color:#d32f2f; font-weight:600;">MISSING</td><td>Legacy XSS filter (defense-in-depth)</td></tr> <tr><td>Strict-Transport-Security</td><td style="color:#d32f2f; font-weight:600;">MISSING</td><td>Forces HTTPS connections</td></tr> <tr><td>Content-Security-Policy</td><td style="color:#d32f2f; font-weight:600;">MISSING</td><td>Prevents XSS and injection attacks</td></tr> <tr><td>Referrer-Policy</td><td style="color:#d32f2f; font-weight:600;">MISSING</td><td>Controls referrer information leakage</td></tr> <tr><td>Permissions-Policy</td><td style="color:#d32f2f; font-weight:600;">MISSING</td><td>Controls browser feature access</td></tr> </table> <p class="label">Response Headers Received</p> <pre><code>HTTP/1.1 200 OK Date: Wed, 18 Mar 2026 14:36:07 GMT Content-Type: text/html Content-Length: 81 Set-Cookie: request_id=...; Max-Age=3600; Path=/; HttpOnly Last-Modified: Sun, 22 Jun 2014 00:50:11 GMT Cache-Control: max-age=3600 Vary: Accept-Encoding</code></pre> <p class="label">Recommendation</p> <ul> <li>Add all missing security headers to the web server configuration (Apache .htaccess or server config)</li> <li>Minimum recommended headers: <pre><code>X-Frame-Options: DENY X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Security-Policy: default-src 'self' Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: camera=(), microphone=(), geolocation=()</code></pre> </li> </ul> </div> </div> <!-- ===== 5d. SSL/TLS ===== --> <h3>5d. SSL/TLS &amp; Certificates</h3> <div class="finding"> <div class="finding-header"> <h4><span class="severity medium">MEDIUM</span> F-06: SSL Certificate Mismatch (*.bizland.com)</h4> </div> <div class="finding-body"> <p class="label">Description</p> <p>The SSL certificate served on port 443 of the hosting server is issued to <strong>*.bizland.com</strong>, not to buelltonops.com. This means HTTPS connections to buelltonops.com will trigger browser security warnings, and the site cannot be accessed securely.</p> <p class="label">Evidence</p> <pre><code>$ openssl s_client -connect 66.96.162.134:443 -servername buelltonops.com Subject: CN=*.bizland.com SAN: DNS:*.bizland.com, DNS:bizland.com Issuer: Sectigo Public Server Authentication CA DV R36 Valid: Aug 18, 2025 — Aug 18, 2026</code></pre> <p class="label">Impact</p> <p>Visitors attempting to access https://buelltonops.com will receive certificate warnings, eroding trust. The mismatch also indicates the hosting account may not be properly configured or has been assigned a default/shared certificate.</p> <p class="label">Recommendation</p> <ul> <li>Install a valid SSL certificate for buelltonops.com (Let's Encrypt is free)</li> <li>Configure SNI properly in the hosting control panel</li> <li>Enable automatic certificate renewal</li> </ul> </div> </div> <!-- ===== 5e. Exposed Services ===== --> <h3>5e. Exposed Services</h3> <div class="finding"> <div class="finding-header"> <h4><span class="severity medium">MEDIUM</span> F-08: FTP Service Publicly Exposed (ProFTPD)</h4> </div> <div class="finding-body"> <p class="label">Description</p> <p>The hosting server exposes a ProFTPD FTP service on port 21. FTP transmits credentials and data in cleartext. While anonymous access is correctly denied, the service itself represents an attack surface for brute-force and known CVE exploitation.</p> <p class="label">Evidence</p> <pre><code>$ nmap -sV -p 21 66.96.162.134 21/tcp open ftp ProFTPD $ echo -e 'USER anonymous\r\nPASS test\r\nQUIT' | nc 66.96.162.134 21 220 domaincom FTP Server Ready 331 Password required for anonymous 530 Login incorrect.</code></pre> <p class="label">Recommendation</p> <ul> <li>Migrate to SFTP (SSH-based file transfer) instead of FTP</li> <li>If FTP must remain, enforce FTPS (FTP over TLS) and disable plain FTP</li> <li>Implement IP-based access restrictions and rate limiting</li> </ul> </div> </div> <div class="finding"> <div class="finding-header"> <h4><span class="severity medium">MEDIUM</span> F-09: Mail Services Support Cleartext Authentication</h4> </div> <div class="finding-body"> <p class="label">Description</p> <p>The POP3 and IMAP services on the hosting server advertise PLAIN and LOGIN authentication mechanisms over unencrypted connections. While STARTTLS is available, the server does not enforce it.</p> <p class="label">Evidence</p> <pre><code>POP3 (110): SASL(PLAIN LOGIN) STLS IMAP (143): AUTH=PLAIN AUTH=LOGINA0001 STARTTLS IMAPS (993): AUTH=PLAIN AUTH=LOGINA0001 (TLS enforced here) POP3S (995): SASL(PLAIN LOGIN) (TLS enforced here)</code></pre> <p class="label">Impact</p> <p>If users connect via POP3 (port 110) or IMAP (port 143) without upgrading to STARTTLS, their email credentials are transmitted in cleartext, making them susceptible to network sniffing attacks.</p> <p class="label">Recommendation</p> <ul> <li>Enforce STARTTLS on ports 110 and 143 (reject connections that don't upgrade)</li> <li>Encourage users to use the encrypted ports (993/995) exclusively</li> <li>Disable PLAIN/LOGIN auth mechanisms on non-TLS connections</li> </ul> </div> </div> <!-- ===== 5f. DNS Configuration ===== --> <h3>5f. DNS Configuration</h3> <div class="finding"> <div class="finding-header"> <h4><span class="severity low">LOW</span> F-10: Wildcard DNS Record (Subdomain Abuse Potential)</h4> </div> <div class="finding-body"> <p class="label">Description</p> <p>A wildcard DNS record (*.buelltonops.com) resolves all subdomains to the HostGator hosting server at 66.96.162.134. This means any arbitrary subdomain (e.g., admin.buelltonops.com, login.buelltonops.com, payroll.buelltonops.com) will resolve and return a web page.</p> <p class="label">Evidence</p> <pre><code>$ dig randomsubdomain123.buelltonops.com A +short 66.96.162.134 $ dig admin.buelltonops.com A +short 66.96.162.134 $ dig payroll.buelltonops.com A +short 66.96.162.134</code></pre> <p class="label">Impact</p> <p>Attackers can use convincing subdomain names in phishing campaigns (e.g., "secure-login.buelltonops.com" or "water-billing.buelltonops.com") that will actually resolve, lending credibility to attacks.</p> <p class="label">Recommendation</p> <ul> <li>Remove the wildcard DNS record</li> <li>Create explicit DNS records only for subdomains that are actually in use</li> </ul> </div> </div> <div class="finding"> <div class="finding-header"> <h4><span class="severity low">LOW</span> F-11: FTP Banner Information Disclosure</h4> </div> <div class="finding-body"> <p class="label">Description</p> <p>The FTP service reveals the server hostname "domaincom" in its banner message.</p> <pre><code>220 domaincom FTP Server Ready</code></pre> <p class="label">Recommendation</p> <p>Customize the FTP banner to remove identifying information, or replace with a generic legal warning banner.</p> </div> </div> <div class="finding"> <div class="finding-header"> <h4><span class="severity low">LOW</span> F-12: DNSSEC Not Configured</h4> </div> <div class="finding-body"> <p class="label">Description</p> <p>The domain does not use DNSSEC, making it potentially vulnerable to DNS cache poisoning and spoofing attacks.</p> <p class="label">Recommendation</p> <p>Enable DNSSEC through the registrar and configure DS records. This protects against DNS hijacking.</p> </div> </div> <div class="finding"> <div class="finding-header"> <h4><span class="severity low">LOW</span> F-13: No Reverse DNS (PTR) Record for Primary IP</h4> </div> <div class="finding-body"> <p class="label">Description</p> <p>The primary IP (96.82.98.110) has no reverse DNS record. This affects email deliverability and makes the server harder to identify as legitimate.</p> <pre><code>$ dig -x 96.82.98.110 +short (NXDOMAIN — no PTR record)</code></pre> <p class="label">Recommendation</p> <p>Contact Comcast to set a PTR record for 96.82.98.110 to resolve to buelltonops.com.</p> </div> </div> <!-- ===== Informational ===== --> <h3>5g. Informational Findings</h3> <div class="finding"> <div class="finding-header"> <h4><span class="severity info">INFO</span> I-01: Website Non-Functional / Abandoned</h4> </div> <div class="finding-body"> <p>The website appears abandoned or misconfigured:</p> <ul> <li><strong>HTTP (port 80):</strong> Returns a single-line HTML page with a meta-refresh redirect to an empty URL: <code>&lt;META HTTP-EQUIV=Refresh CONTENT="0; url=http://"&gt;</code></li> <li><strong>HTTPS (port 443):</strong> Returns a styled "Access Denied — You have been blocked" page from the hosting provider's WAF</li> <li><strong>Last modified date:</strong> June 22, 2014 — the content has not been updated in nearly 12 years</li> <li><strong>Primary IP (96.82.98.110):</strong> All web ports are firewalled, no HTTP/HTTPS response</li> </ul> <p>If the website is no longer needed, the domain's web hosting should be properly decommissioned rather than left in this state.</p> </div> </div> <div class="finding"> <div class="finding-header"> <h4><span class="severity info">INFO</span> I-02: Domain Expiring Within 3 Months</h4> </div> <div class="finding-body"> <p>The domain buelltonops.com expires on <strong>June 13, 2026</strong> — less than 3 months from the assessment date. If the domain lapses, it could be registered by a malicious party and used for phishing or impersonation.</p> <p class="label">Recommendation</p> <p>Enable auto-renewal or manually renew the domain immediately. Consider a multi-year renewal.</p> </div> </div> <div class="finding"> <div class="finding-header"> <h4><span class="severity info">INFO</span> I-03: Primary Server on Comcast Business IP</h4> </div> <div class="finding-body"> <p>The domain's A record points to 96.82.98.110, which is allocated to Comcast Cable Communications (residential/business cable block 96.64.0.0/11). Business cable IPs can change if DHCP leases are not static, and Comcast does not provide PTR records for dynamic IPs by default. This is atypical for production infrastructure.</p> </div> </div> <!-- ============ 6. POSITIVE OBSERVATIONS ============ --> <h2>6. Positive Observations</h2> <p>The following security controls were found to be properly configured:</p> <table> <tr><th>Area</th><th>Observation</th></tr> <tr><td>TLS Configuration</td><td>Strong cipher suites — TLSv1.2 and TLSv1.3 only, all rated A-grade. No legacy protocols (SSLv3, TLSv1.0, TLSv1.1).</td></tr> <tr><td>SSL Vulnerabilities</td><td>No Heartbleed (CVE-2014-0160), POODLE (CVE-2014-3566), or CCS injection (CVE-2014-0224) vulnerabilities detected.</td></tr> <tr><td>FTP Anonymous Access</td><td>Anonymous FTP login correctly denied.</td></tr> <tr><td>FTP Backdoors</td><td>No known ProFTPD or vsftpd backdoors detected.</td></tr> <tr><td>cPanel Access</td><td>cPanel management ports (2082-2087, 2095-2096) are closed on the hosting server.</td></tr> <tr><td>Firewall Presence</td><td>The primary server has firewall rules that block most direct connection attempts — the intent is correct even though the implementation has gaps.</td></tr> <tr><td>Domain Lock</td><td>Domain has clientTransferProhibited and clientUpdateProhibited status, preventing unauthorized transfers.</td></tr> <tr><td>Cookie Flags</td><td>The HttpOnly flag is set on cookies, preventing JavaScript access.</td></tr> <tr><td>WAF Presence</td><td>The hosting provider has a WAF that blocks suspicious HTTPS requests.</td></tr> </table> <!-- ============ 7. REMEDIATION ROADMAP ============ --> <h2>7. Remediation Roadmap</h2> <h3>Priority 1 — Immediate (0-7 days)</h3> <table> <tr><th>Finding</th><th>Action</th><th>Effort</th></tr> <tr><td>F-01: No DMARC</td><td>Add DMARC TXT record (monitoring mode: p=none)</td><td>15 minutes</td></tr> <tr><td>F-05: Weak SPF</td><td>Change <code>?all</code> to <code>~all</code> in SPF record</td><td>5 minutes</td></tr> <tr><td>I-02: Domain expiring</td><td>Renew domain registration immediately</td><td>10 minutes</td></tr> </table> <h3>Priority 2 — Short Term (1-4 weeks)</h3> <table> <tr><th>Finding</th><th>Action</th><th>Effort</th></tr> <tr><td>F-03: No DKIM</td><td>Generate DKIM keys, publish DNS record, configure mail server</td><td>1-2 hours</td></tr> <tr><td>F-06: SSL mismatch</td><td>Install valid SSL certificate for buelltonops.com</td><td>30 minutes</td></tr> <tr><td>F-04: MySQL exposed</td><td>Bind MySQL to localhost in server config</td><td>15 minutes</td></tr> <tr><td>F-10: Wildcard DNS</td><td>Remove wildcard record, add only needed subdomains</td><td>15 minutes</td></tr> <tr><td>F-05: SPF hardening</td><td>Upgrade SPF to <code>-all</code> after confirming all senders</td><td>30 minutes</td></tr> </table> <h3>Priority 3 — Medium Term (1-3 months)</h3> <table> <tr><th>Finding</th><th>Action</th><th>Effort</th></tr> <tr><td>F-02: Stateless firewall</td><td>Upgrade to stateful firewall with conntrack</td><td>2-4 hours</td></tr> <tr><td>F-07: Security headers</td><td>Add all missing HTTP security headers</td><td>1 hour</td></tr> <tr><td>F-08: FTP exposed</td><td>Migrate to SFTP, disable FTP</td><td>1-2 hours</td></tr> <tr><td>F-09: Cleartext auth</td><td>Enforce STARTTLS on mail ports</td><td>30 minutes</td></tr> <tr><td>F-01: DMARC hardening</td><td>Escalate DMARC policy to p=quarantine, then p=reject</td><td>Ongoing</td></tr> <tr><td>I-01: Dead website</td><td>Either deploy a functional site or properly decommission hosting</td><td>Varies</td></tr> </table> <h3>Priority 4 — Long Term</h3> <table> <tr><th>Finding</th><th>Action</th><th>Effort</th></tr> <tr><td>F-12: DNSSEC</td><td>Enable DNSSEC at registrar</td><td>1-2 hours</td></tr> <tr><td>F-13: PTR record</td><td>Request PTR record from Comcast</td><td>30 minutes + ISP wait</td></tr> <tr><td>I-03: Comcast IP</td><td>Consider migrating to a static IP or dedicated hosting</td><td>Varies</td></tr> </table> <!-- ============ 8. APPENDIX ============ --> <h2>8. Appendix: Port Scan Results</h2> <h3>A.1 Primary Server (96.82.98.110) — TCP SYN Scan</h3> <pre><code>PORT STATE SERVICE 21/tcp filtered ftp 22/tcp filtered ssh 25/tcp filtered smtp 53/tcp filtered domain 80/tcp filtered http 110/tcp filtered pop3 143/tcp filtered imap 443/tcp closed https 445/tcp filtered microsoft-ds 993/tcp filtered imaps 995/tcp filtered pop3s 1433/tcp filtered ms-sql-s 2082/tcp filtered infowave (cPanel HTTP) 2083/tcp filtered radsec (cPanel HTTPS) 2086/tcp filtered gnunet (WHM HTTP) 2087/tcp filtered eli (WHM HTTPS) 2095/tcp filtered nbx-ser (Webmail HTTP) 2096/tcp filtered nbx-dir (Webmail HTTPS) 3306/tcp filtered mysql 3389/tcp filtered ms-wbt-server 8080/tcp filtered http-proxy 8443/tcp filtered https-alt 8880/tcp filtered cddbp-alt 10000/tcp filtered snet-sensor-mgmt (Webmin)</code></pre> <h3>A.2 Hosting Server (66.96.162.134) — Service Detection</h3> <pre><code>PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 80/tcp open http OpenResty web app server 110/tcp open pop3 Dovecot pop3d 143/tcp open imap Dovecot imapd 443/tcp open ssl/http OpenResty web app server 993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d 2082-2096/tcp closed (cPanel ports) 3306/tcp closed mysql 8080/tcp closed http-proxy 8443/tcp closed https-alt</code></pre> <h3>A.3 Mail Server (66.96.140.125) — Service Detection</h3> <pre><code>PORT STATE SERVICE 25/tcp filtered smtp 110/tcp closed pop3 143/tcp closed imap 465/tcp closed smtps 587/tcp closed submission 993/tcp closed imaps 995/tcp closed pop3s</code></pre> <h3>A.4 Firewall Analysis Summary</h3> <table> <tr><th>Scan Type</th><th>Technique</th><th>Result</th><th>Interpretation</th></tr> <tr><td>SYN (-sS)</td><td>Standard connect</td><td>filtered</td><td>Firewall drops SYN packets</td></tr> <tr><td>ACK (-sA)</td><td>ACK flag only</td><td>unfiltered</td><td>Firewall passes ACK (stateless)</td></tr> <tr><td>Window (-sW)</td><td>TCP window analysis</td><td>open</td><td>Services confirmed running</td></tr> <tr><td>NULL (-sN)</td><td>No flags set</td><td>closed</td><td>OS TCP stack reachable</td></tr> <tr><td>FIN (-sF)</td><td>FIN flag only</td><td>closed</td><td>OS TCP stack reachable</td></tr> <tr><td>Xmas (-sX)</td><td>FIN+PSH+URG</td><td>closed</td><td>OS TCP stack reachable</td></tr> <tr><td>Fragment (-f)</td><td>Fragmented SYN</td><td>filtered</td><td>Firewall reassembles fragments</td></tr> <tr><td>Source port 53</td><td>DNS source port spoof</td><td>filtered</td><td>Firewall not fooled by src port</td></tr> </table> <!-- ============ FOOTER ============ --> <div class="footer"> <p><strong>Autosys, LLC</strong> &mdash; Security Assessment Division</p> <p>This document is confidential and intended solely for the client. Unauthorized distribution is prohibited.</p> <p>Report generated March 18, 2026</p> </div> </div><!-- .content --> </div><!-- .page --> </body> </html>