[HIGH] Undocumented media server at 10.1.11.21 with 8 exposed services #36

New issue

Open

opened 2026-05-06 10:46:24 -05:00 by pjennings · 0 comments

pjennings commented

2026-05-06 10:46:24 -05:00

Owner

Description

Host 10.1.11.21 (MAC: 00:0F:53:3B:6B:A1, Solarflare NIC) is running at least 8 network-accessible services and is completely undocumented.

Finding Details

Host: 10.1.11.21 (unknown hostname, Solarflare Communications NIC)
OS: Linux 5.x (nmap fingerprint)
Discovered by: Rootful nmap SYN scan with service detection, 2026-05-06

Exposed Services

Port	Service	Technology	Risk
22/tcp	SSH	OpenSSH 9.9	Password auth enabled (see #37)
3000/tcp	Web app	SvelteKit	Dashboard UI accessible
5055/tcp	Web app	Node.js Express	Login page, X-Powered-By header leak
6500/tcp	Torrent client	.NET Kestrel - Real-Debrid Torrent Client	Torrent management UI exposed
8080/tcp	API server	Python uvicorn	REST API accessible
8096/tcp	Media server	.NET Kestrel (likely Jellyfin)	Media server web UI exposed
8191/tcp	Automation	Pylons Waitress (likely Bazarr/Sonarr)	Automation UI accessible
9117/tcp	Dashboard	.NET Kestrel, redirects to /UI/Dashboard	Admin dashboard exposed
9637/tcp	Stremio addon	Node.js Express, redirects to /stremio/configure	Stremio addon config accessible

Risk

This host appears to be a media automation stack (Real-Debrid, Jellyfin, Stremio, likely *arr suite) with no documented ownership, multiple unauthenticated web UIs, a torrent client management interface exposed to the LAN, and SSH with password authentication enabled.

Recommendations

Identify the owner - determine who deployed this host
Document in infrastructure inventory
Restrict service access - bind to localhost or use reverse proxy with auth
Disable SSH password auth
Add firewall rules
Review authentication on each web service

References

Related: docs/network-scan-2026-05-06.md (Finding F-01)
Related: #33 (Undocumented hosts on 10.1.12.x)

## Description Host `10.1.11.21` (MAC: `00:0F:53:3B:6B:A1`, Solarflare NIC) is running at least **8 network-accessible services** and is completely undocumented. ## Finding Details - **Host:** 10.1.11.21 (unknown hostname, Solarflare Communications NIC) - **OS:** Linux 5.x (nmap fingerprint) - **Discovered by:** Rootful nmap SYN scan with service detection, 2026-05-06 ### Exposed Services | Port | Service | Technology | Risk | |------|---------|-----------|------| | 22/tcp | SSH | OpenSSH 9.9 | Password auth enabled (see #37) | | 3000/tcp | Web app | SvelteKit | Dashboard UI accessible | | 5055/tcp | Web app | Node.js Express | Login page, X-Powered-By header leak | | 6500/tcp | Torrent client | .NET Kestrel - Real-Debrid Torrent Client | Torrent management UI exposed | | 8080/tcp | API server | Python uvicorn | REST API accessible | | 8096/tcp | Media server | .NET Kestrel (likely Jellyfin) | Media server web UI exposed | | 8191/tcp | Automation | Pylons Waitress (likely Bazarr/Sonarr) | Automation UI accessible | | 9117/tcp | Dashboard | .NET Kestrel, redirects to /UI/Dashboard | Admin dashboard exposed | | 9637/tcp | Stremio addon | Node.js Express, redirects to /stremio/configure | Stremio addon config accessible | ## Risk This host appears to be a media automation stack (Real-Debrid, Jellyfin, Stremio, likely *arr suite) with no documented ownership, multiple unauthenticated web UIs, a torrent client management interface exposed to the LAN, and SSH with password authentication enabled. ## Recommendations 1. Identify the owner - determine who deployed this host 2. Document in infrastructure inventory 3. Restrict service access - bind to localhost or use reverse proxy with auth 4. Disable SSH password auth 5. Add firewall rules 6. Review authentication on each web service ## References - Related: docs/network-scan-2026-05-06.md (Finding F-01) - Related: #33 (Undocumented hosts on 10.1.12.x)