NuClide Research
Most recent
navigate open esc close Corpus index built 2026-06-07 23:58 UTC

← All engagement records

Host case May 15, 2026

23.239.19.219: Exposed LlamaIndex Chat with Broken Backend, Multi-Tenant SNI Co-Tenancy

Bill Rondell, Nick Adams & Dade Murphy — May 15, 2026 — host case — 7 min read — 1,614 words
Sector
Commercial

NuClide Research · 2026-05-15 Category: 07 RAG Stacks (frameworks tier) Status: confirmed unauth surface; corpus disclosure unverified (operator LLM broken)

Subject

23.239.19.219. Linode US datacenter (Akamai AS), 23.239.0.0/19, rDNS 23-239-19-219.ip.linodeusercontent.com. Linode shared-allocation, neighbor at .217 is harperdbcloud.com. No AS63949 honeypot salt match. Verdict “no honeypot signals” per aimap-profile.

DCWF KSAT coverage

Auto-derived from DCWF AI work-role rule files (ksat-tag).

  • 672 (AI Test & Evaluation Specialist): K7003, K7004, K7044, S7068, S7070, S7075, T5858, T5904, T5919
  • 733 (AI Risk & Ethics Specialist): K7040, K7051, S7056, T5854, T5893
  • overlap (Common AI KSATs (all 5 roles)): K1158, K1159, K22, K6311, K6900, K6935, K7003, K942, S7065, T5896

Multi-tenant nginx SNI-routed reverse proxy on 80/443, fronting:

  • commandz.gochatus.org: default cert (Let’s Encrypt R13, valid 2026-04-09 → 2026-07-08). Serves a 1,119-byte Phaser.js game index.html referencing /assets/index-Cb6Avark.js that 404s. Deploy artifact / decoy. Non-functional.
  • lakesideart.gochatus.org: separate SNI vhost serving a 32,921-byte commercial site, 湖畔美术教育 / Lakeside Art Education, a Chinese art-education business with Vancouver BC phone +1 604-339-8919.

Application surface beyond the static vhosts:

  • Port 8000 (uvicorn): LlamaIndex Chat per /openapi.json info.title. FastAPI-generated server with 4 declared routes: GET /, GET /api/health, POST /api/session, POST /api/chat. No auth scheme declared.
  • Port 3000 (Express): Node.js + Socket.IO v4. 404s on every REST path, but /socket.io/?EIO=4&transport=polling returns a valid sid and the 40 (CONNECT) namespace handshake is accepted anonymously.
  • Port 9090: nginx 1.18.0 (Ubuntu) banner per nmap -sV, but HTTP/1.1 returns empty body, TLS handshake fails (wrong version number), HTTP/2 prior-knowledge fails (unexpected data while we expected SETTINGS frame), gRPC list times out. Unknown binary protocol.

Operator identity: gochatus.org registered behind Cloudflare WHOIS privacy. Cert-pivot via crt.sh enumerates SAN tree: commandz., hello. (Vercel CDN, “Emoji Encode”), home. (Telus Fibre Vancouver residential, passiveV2 only), lakesideart., welcome. (separate Linode 45.79.84.173, title “Guanghui Chen’s Personal Homepage”). Lakeside Art’s Vancouver 604 area code is the primary-source attribution; the personal-homepage title is framing.

Discovery

Target was handed over directly (no Shodan dork ran). Arsenal-fanout pattern, all 19 tools.

ToolResult
JAXENjaxen lookup deprecated; jaxen aimap wrapper found 6 open ports, 0 AI fingerprints (gap below)
aimap (-target ip --scan-all-fingerprints)Direct invocation returned 0 open ports despite curl confirming 443 alive — discovery-phase flake. Wrapper found 6 open ports but Phase-2 returned “No AI/ML services identified”. Fingerprint gap: aimap has no LlamaIndex Chat fingerprint as of v1.8.
aimap-profileIdentified Linode/Akamai org. Honeypot score 0, no salt match. Adjacency PTR sweep surfaced harperdbcloud.com on .217. Classification: unclassified.
VisorGraph (-ip seed)6 nodes / 1 edge after 23 probes. CT-log pivot surfaced commandz + www.commandz. Probed port 9090 internally, returned 0 nodes (silently labeled “prometheus” source — embedded port assumption).
VisorGraph (-domain gochatus.org)Cert + CT-log pivots, 7 nodes total across operator subdomain tree.
VisorBishop (-ip-shadow-all)All 5 targets returned platform=unconfirmed severity=none. IP-shadow flagged port 9090 as service: prometheus and port 8000 as service: chromadb — both wrong. Banner-only labels without endpoint verification.
VisorSDBlocked: invalid SHODAN_API_KEY. Null result logged.
VisorGoose (probe)Probed :11434/api/version (Ollama default), connect refused. No Ollama on host.
menlohunt5 findings (port_open INFO/LOW/MEDIUM). Also labeled 9090 as Prometheus and retried 17 Prometheus-API paths against it.
recongraphMulti-seed run completed in 0s wall time; 0 nodes (budget consumed by failed Shodan probes upstream).
nu-reconReverse-DNS OK; crt.sh returned 502; Shodan key absent → fell into simulated mode ("simulated": true).
VisorLog4 events ingested into nuclide.db (after schema-mapping correction: dotted keys event.severity / host.ip / nuclide.tags, not flat names). Rows 1034–1037.
VisorScuba839 nodes assessed across nuclide.db; this host’s rows score 0/10 0-violation due to OPA-baseline coverage not yet including LlamaIndex Chat platform class.
BARE3,904-module corpus encoded; top matches for “Unauthenticated LlamaIndex Chat” cosine ≈ 0.49–0.52 (Drupal RESTws, LifeSize UVC ping RCE, MicroFocus Secure Messaging Gateway). All weak semantic matches — no Metasploit module covers create-llama unauth. Null actionable result is a result.
VisorCorpus137 cases generated (77 HIGH, 15 CRITICAL) in corpus_rag.json: 18 kb_exfiltration, 16 prompt_injection, 15 each of infra_discovery / jailbreak / system_prompt / tenant_cross_leak. Ready for VisorAgent.
VisorRAGFailed at init — OpenAI embedding API key absent (401 Unauthorized).
VisorAgentEthical-stop: not pointed at survey host. Internal-agent benchmark run against localhost:34873 listener but each step required ANTHROPIC_API_KEY (absent).
cortexMarkdown analysis run, severity=informational. Cortex’s authorization-context framework is built for malicious-actor analysis (iloveyou, xz_utils, stuxnet) rather than OSINT-exposure reporting — fits poorly. Format mismatch documented.
VisorHollow[—] Windows-only, not applicable to Linux cloud target.
VisorPlusOrchestrator pass 5/6 stages completed: whois + nmap + SSH fingerprint + passive DNS (5 hostnames) + Ollama probe (refused).
JS-bundle extractPort-8000 LlamaIndex HTML is fully inline (no separate bundle); port-443 phaser bundle 404s (Asset not found); Lakeside Art HTML is inline-only. Null target set — no bundle extraction surface.

Verification

What was verified (auth-on-default surface, MEDIUM)

  1. Anonymous session creation. POST http://23.239.19.219:8000/api/session returned {"session_id":"523babc5d14642748d3564173b9ca466"} without any credential.
  2. Anonymous chat-request acceptance. POST /api/chat with {session_id, message:"hi", include_sources:true} returned a parseable error body ({"detail":"LLM request failed."}) from the FastAPI app, confirming the request schema validated and the handler ran.
  3. OpenAPI declares no security schemes. /openapi.json is a 3,320-byte spec with info.title: "LlamaIndex Chat", 4 paths, zero securitySchemes.
  4. Socket.IO CONNECT accepted anonymously. 40 handshake to /socket.io/?EIO=4&transport=polling&sid=<sid> returned 40{"sid":"<new>"} confirming default namespace open.

What was NOT verified (corpus disclosure claim retracted)

The LlamaIndex Chat backend’s LLM call returns "LLM request failed". Operator’s upstream provider (OpenAI/Anthropic/local) is broken or out of quota. The include_sources: true payload never delivered RAG chunks. The published finding is unauth surface on broken backend, not corpus disclosure.

The earlier ledger row was downgraded HIGH → MEDIUM after advisor review. The corrected finding stands on the auth-on-default thesis evidence base (Insight #13 / SYNTHESIS-2026-05): operator inherited the create-llama default of no-auth, exposing what would be the corpus surface if the backend were functional.

What was NOT probed (restraint ethic)

  • Socket.IO handler enumeration: emitting events to discover handlers is exploitation, not enumeration. Stop.
  • Lakeside Art /admin (401): out of scope (commercial business, not the RAG-frameworks target class) and auth working correctly.
  • /api/pricing POST on Lakeside Art: admin-gated CMS write surface; not in scope.
  • home.gochatus.org Telus residential IP: passiveV2 only; no active probe on personal/residential infrastructure.
  • Operator’s broken LLM endpoint: fixing or fingerprinting the failure crosses from enumeration to interference.

Insight candidate #22: port-9090 → Prometheus FP, three tools simultaneously

VisorBishop’s ip-shadow, menlohunt’s port-scan classifier, and VisorGraph’s active-nonintrusive prometheus probe all flagged port 9090 on this host as Prometheus before any /api/v1/targets or /metrics probe response confirmed identity. Banner from nmap -sV revealed nginx 1.18.0 (Ubuntu), but the actual service responds with HTTP/1.1 empty reply, fails TLS handshake (wrong version number), fails HTTP/2 prior-knowledge (unexpected data in place of SETTINGS frame), and times out on gRPC enumeration. Unknown binary protocol on an nginx banner. Possibly a misconfigured reverse-proxy upstream timeout, possibly a custom application binding.

The cross-tool failure pattern: port number is being used as a primary identity signal in three independent tools, in defiance of Insight #6 (conjunctive marker-anchored fingerprints). Codify as Insight candidate #22. “Port-9090 / port-9100 → Prometheus / node_exporter is an embedded assumption that breaks against nginx/binary-protocol confounders; require a verifying probe (/api/v1/status/buildinfo or /metrics body shape) before tagging Prometheus.”

Operator footprint

SubdomainResolves toHosts
gochatus.org(no A — Cloudflare NS only)
commandz.gochatus.org23.239.19.219Phaser game decoy (port 443) + LlamaIndex Chat (port 8000) + Express+Socket.IO (port 3000)
www.commandz.gochatus.org23.239.19.219same as commandz
hello.gochatus.orgVercel CDN”Emoji Encode” — third-party-hosted experiment
home.gochatus.org108.172.174.202Telus Fibre Vancouver residential — operator’s home network
lakesideart.gochatus.org23.239.19.219 (SNI-routed)Lakeside Art Education commercial site (湖畔美术教育)
www.lakesideart.gochatus.org23.239.19.219same
welcome.gochatus.org45.79.84.173 (separate Linode)“Guanghui Chen’s Personal Homepage”

The personal-homepage title at welcome is framing. The operator could be named Guanghui Chen, or the title could be inherited. Vancouver-area Lakeside Art commercial business (+1 604-339-8919) and Telus Fibre Vancouver home network are the primary-source attribution anchors.

Disclosure routing

Not recommended on current evidence. The exposure is the operator’s own infrastructure (single individual, no third-party-tenant data), the LLM backend is currently broken (no live corpus chunks to be exfiltrated by an attacker today), and the Lakeside Art commercial site is unrelated to the RAG framework finding. The operator-as-victim model holds; pivoting to disclosure would require a verified corpus-disclosure proof that the current state does not support.

If routed in the future, primary channel is the lakesideart.gochatus.org Vancouver phone line. Cloudflare-shielded WHOIS rules out registrant email.

Auth-on-default thesis impact

This is a confirming-data-point for the LlamaIndex Chat platform class within the broader RAG-framework category. The 2026-05-04 rag-framework cross-cloud survey found 2 “genuine” LlamaIndex Chat hosts in the PrivateGPT bucket of 119 (which the survey acknowledged was 98% FastAPI-FP). This host represents a third confirmed create-llama-generated LlamaIndex Chat instance on a tier-2 cloud, consistent with the platform-class pattern: Tier-A (no-auth-concept) → unauth at population scale.

The discovery vector here (handed-over IP, not Shodan dork) suggests the prior survey’s Shodan brand-dork ceiling for LlamaIndex Chat is real. Insight #21 (port-first beats brand-dork for low-footprint platforms) applies. A port-first re-run on tier-2 (port 8000 + uvicorn server header + LlamaIndex Chat HTML title conjunctive) would likely surface more.

Toolchain provenance

2026-05-15 20:11Z  jaxen aimap 23.239.19.219                          → 6 open ports, 0 AI fingerprints
2026-05-15 20:11Z  nu-recon 23.239.19.219                              → simulated (Shodan key absent)
2026-05-15 20:11Z  whois + dig +short -x                               → Akamai AS, 23.239.0.0/19, rDNS Linode
2026-05-15 20:12Z  curl -sI https://23.239.19.219/                     → nginx/1.18.0, 1119-byte phaser-game HTML
2026-05-15 20:12Z  hash-compare /openapi.json vs /                     → MD5 IDENTICAL — SPA catchall confirmed
2026-05-15 20:12Z  nmap -Pn --top-ports 100 --open                     → 22, 80, 443, 3000, 8000
2026-05-15 20:12Z  curl http://23.239.19.219:8000/                     → "LlamaIndex Chat" uvicorn, real /openapi.json
2026-05-15 20:13Z  openssl s_client                                     → cert CN commandz.gochatus.org, Let's Encrypt R13
2026-05-15 20:13Z  crt.sh ?q=gochatus.org                              → 9 SAN-derived domains
2026-05-15 20:13Z  POST /api/session                                    → session_id 523babc5… (UNAUTH)
2026-05-15 20:13Z  POST /api/chat                                       → "LLM request failed" (surface unauth, backend broken)
2026-05-15 20:17Z  aimap-profile --target 23.239.19.219 --mode full     → unclassified, honeypot=0
2026-05-15 20:18Z  visorgraph -ip 23.239.19.219                         → 6 nodes / 1 edge, prometheus FP on 9090
2026-05-15 20:18Z  visorbishop -i targets.txt -ip-shadow-all            → prometheus FP + chromadb FP
2026-05-15 20:19Z  menlohunt scan -ip 23.239.19.219                     → 5 findings, MEDIUM open-9090 (Prometheus FP)
2026-05-15 20:19Z  visorsd                                              → 401 invalid SHODAN_API_KEY (null)
2026-05-15 20:19Z  visorgoose probe                                     → no Ollama on host
2026-05-15 20:20Z  recongraph multi-seed                                → 0 nodes (budget consumed)
2026-05-15 20:21Z  SNI vhost census                                     → lakesideart.gochatus.org 32921 bytes
2026-05-15 20:23Z  socket.io handshake                                  → CONNECT accepted, default ns open
2026-05-15 20:24Z  port 9090 protocol discriminator                     → not HTTP/1.1, not HTTPS, not HTTP/2, not gRPC
2026-05-15 20:25Z  visorrag --target                                    → 401 OpenAI embedding (null)
2026-05-15 20:25Z  bare bare-input.json                                 → cosine 0.49-0.52, no exploitable module
2026-05-15 20:25Z  visorcorpus build hybrid                             → 137 cases, 77 HIGH 15 CRIT
2026-05-15 20:26Z  visoragent run (localhost)                           → ANTHROPIC_API_KEY absent (null)
2026-05-15 20:26Z  cortex analyze --force                               → informational, format mismatch
2026-05-15 20:26Z  visorplus assess                                     → 5/6 stages, no Ollama
2026-05-15 20:30Z  visorlog ingest (dotted-key NDJSON)                  → rows 1034-1037, medium/medium/info/low

See also

  • rag-framework-cloud-survey-2026-05.md: the prior cross-cloud survey establishing LlamaIndex Chat as a confirmed platform class
  • insight-21: port-first beats brand-dork for low-footprint platforms (applies to LlamaIndex Chat brand-dork ceiling)
  • New: Insight candidate #22 (port-9090 → Prometheus FP across three tools; codify once a second case study confirms the pattern)