NuClide Research
Most recent
navigate open esc close Corpus index built 2026-06-07 23:58 UTC

← Research library

Insight

Insight #78 — Shared deployment kits create operator-class exposure: one fingerprint, N unauth backends

Bill Rondell, Nick Adams & Dade Murphy — insight — 3 min read — 744 words

Survey: Single-host ad-hoc assessments, xTom Japan (AS3258), 2026-06-05/06.

Statement

When a deployment kit (a preconfigured stack template) circulates within an operator community, every operator who deploys it inherits the same misconfiguration. The fingerprint of the kit - version string, favicon hash, callback list, header set - is identical across all deployments, so finding one instance immediately classifies all others in the population. A kit-level misconfiguration is not an individual operator failure; it is a population-wide exposure rooted in a single upstream decision.

Evidence

Three unauth LiteLLM Enterprise instances found on separate xTom Japan VPS hosts operated by independent Chinese AI API relay services within a single session:

IPOperatorAuthVersionFavicon hash
197.189.236.186Cozan Consulting (zigy.co.za)NONEv1.82.6-1875761561
103.201.131.99OrbitLink VPN (weee.teys.top)NONE (historical)v1.82.6-1875761561
176.126.114.133曲奇 API (quqiai.top)NONEv1.82.6-1875761561

Shared fingerprint across all three:

  • Version: LiteLLM Enterprise v1.82.6
  • Favicon hash: -1875761561 (identical PNG)
  • Callback chain: SkillsInjectionHook + _PROXY_VirtualKeyModelMaxBudgetLimiter + _PROXY_MaxBudgetLimiter + _PROXY_MaxParallelRequestsHandler_v3 + _PROXY_CacheControlCheck + ResponsesIDSecurity + _PROXY_MaxIterationsHandler + _PROXY_MaxBudgetPerSessionHandler + _PROXY_LiteLLMManagedFiles + _PROXY_LiteLLMManagedVectorStores + ServiceLogging
  • Config: No Prisma DB, no master_key, auth=NONE on all three
  • Hosting: All xTom Japan (AS3258)
  • Pattern: Auth-gated commercial frontend (One API / V2Board) + unauth LiteLLM backend

The commercial frontend (One API’s “曲奇 API”, V2Board’s OrbitLink) provides user-facing auth and billing. The LiteLLM layer behind it is treated as an internal-only service but is bound to all interfaces without a master_key. The kit author left auth unconfigured; every operator who used the kit inherited the open backend.

Mechanism

The auth-gated frontend creates a false sense of security: operators see their commercial portal enforcing login and assume the stack is protected. The LiteLLM backend is a separate process on a separate port - the frontend’s auth does not propagate to it. Without a master_key set in litellm_config.yaml, LiteLLM defaults to open. The kit was distributed without that line.

This is a structural variant of Insight #02 (single-template auth-off propagates): the template is not one operator’s misconfiguration copied to their own fleet - it is a third-party kit adopted independently by multiple operators who each made the same assumption about the frontend providing coverage.

Recon implication

The favicon hash (-1875761561) is a precise population selector for this kit. A Shodan dork on http.favicon.hash:-1875761561 will return the full population of hosts running this kit regardless of domain, ASN, or country. The three confirmed instances are a floor, not a ceiling. Expanding the sweep via favicon hash is the direct next step to bound the full operator class.

The xTom Japan hosting concentration is a secondary signal - operators acquiring kit-sourced stacks from the same Chinese AI service community appear to prefer xTom Japan as a VPS provider. ASN + favicon hash together form a tight selector for this population.

Implication for methodology

When a new finding has an identical fingerprint to a prior finding on a different operator:

  1. Treat the match as a kit signal, not coincidence.
  2. Immediately pivot to favicon hash / header hash / version string population sweep.
  3. The root cause is the kit author’s config, not each individual operator’s negligence - remediation guidance should target the kit’s default config, not the operator’s setup.
  4. Expect the full population to share the same misconfiguration unless the kit was patched downstream.

The finding is: the kit is misconfigured. The population is: every operator who deployed it.

Correction from population sweep (2026-06-06)

The favicon hash -1875761561 identifies the full LiteLLM Swagger UI population, not only the Chinese operator kit. A Shodan sweep returned 4,008 results globally (988 sampled): US 42%, DE 13%, CN 10%, SG 5%, JP 4%. Includes AWS, Azure, GCP instances, 17+ universities, and enterprise commercial operators (YipitLLM/5, Cloudeka/1).

Kit-specific fingerprint requires the combination: favicon + LiteLLM Enterprise v1.82.6 + SkillsInjectionHook callback chain + no Prisma DB + auth=NONE. The three xTom Japan instances share all five signals; generic LiteLLM deployments share only the favicon.

Unauth rate (25-host sample): 2/25 = 8% → ~320 globally. Enterprise/cloud IPs skew toward auth-on; VPS/hobbyist IPs skew toward auth-off. Real unauth rate across the full population likely higher.

Two additional unauth instances from sweep:

  • 64.227.96.179:4000 (DigitalOcean US) — ollama/qwen2.5:3b, no DB
  • 176.107.150.171:4000 (Aruba IT) — guidascuole-scraper, leaks private LAN IP (192.168.100.41:11434 Mac Studio Ollama)