Alden’s ITP Home

Shodan Stories Day 20: υηκηοωη ιδεηեτγ in France, Private Telephone Exchanges, Network Attached Storage, and Getting Lost in the Matrix

Oh what a tangled web we weave. I’m not really sure what’s going on with this one or how I got here, I wanted to explore a search I had seen on Shodan called “3cx servers bcn” but now I’m trapped in a digital hall of mirrors. 3CX is a private telephone exchange that sometimes runs over VoIP, and has servers that typically tend to run on 5001.

υηκηοωη ιδεηեτγ on

So I looked for things running on ports 5001. One of the first ones I saw was named “υηκηοωη ιδεηեτγ” which, naturally, got me pretty interested. Going to their IP in a browser automatically tried for https but had a certificate error, and I was really struck by the url for which their certificate had been issued, which is to say that sounds fake as hell. Thanks to Azealia Banks I know that 212 is an area code for NYC so at least that checked out with the phone theme. Let’s come back to in a bit.

Proceeding along to the IP prompts a login for υηκηοωη ιδεηեτγ. The login page is very pretty, there is a beach and some birds in the foreground and some mountains in the background. Again, we’ll come back to this page later. The login looked so nice I suspected that it must have a URL.

👻🌵🔮 $ host domain name pointer

Aha! So this is doing email or something related. What’s It doesn’t resolve to anything in the browser. According to Shodan it’s in Garden City, Kansas.

👻🌵🔮 $ host has address mail is handled by 10 mail is handled by 20
👻🌵🔮 $ host has address
👻🌵🔮 $ host has address mail is handled by 50
👻🌵🔮 $ host has address and are both in Germany, unsurprisingly. First It’s running a page that just shows the following.

We’ll get back to that one. Loose threads feel like they are piling up yet? Feel like there is a lot of υηκηοωη ιδεηեτγ still to be explored? is running on 443 with the following webpage: Just giving a 403 error. Usually that comes after a failed login meaning that you didn’t have the correct credentials, and I was wondering if this page were looking for a specific IP to interact with it. I went looking for such a thing and found what was checking whether or not to give the error, a long javascript function embedded in the page that was determining whether or not to send the 403. It began like this:

/* Copyright (c) 2018 Synology Inc. All rights reserved. */

(function(){var a=new XMLHttpRequest();"get","/missing",true); ...

Synology Inc! Major clue. And that page requires a specific request to be made via the url, which I was /missing. Synology makes network attached storage as well as a router and a couple of other network goodies. Now let’s get back to the υηκηοωη ιδεηեτγ login. That page had a fair amount of javascript in it for a simple login page, much of it copyright Synology Inc. There was also some from other companies, but they seemed to be doing web services and web design work, so it had likely been contracted out by Synology. So this login is probably for another Synology device, maybe storing mail.

But let’s get back to shall we?

👻🌵🔮 $ host has address

That’s the same IP that I had originally found. So is however is considerably different from doesn’t appear to be hosting any web page of any kind, while is hosting the same kind of thing as!! It turns out this is the default page for any server set up with Host Europe GmbH, which is the host for these pages. So someone set up these servers and parked default servers on the domain names and are using the domains to direct to a bunch of other servers via CNAME, some of which overlap. How deep does this go?

👻🌵🔮 $ host has address mail is handled by 50
👻🌵🔮 $ host has address
👻🌵🔮 $ host domain name pointer
👻🌵🔮 $ nmap
Starting Nmap 7.70 ( ) at 2019-01-23 23:41 EST
Nmap scan report for (
Host is up (0.12s latency).
Other addresses for (not scanned): 2a01:488:42:1000:50ed:8469:27:5029
rDNS record for
Not shown: 987 closed ports
21/tcp   open     ftp
22/tcp   open     ssh
25/tcp   open     smtp
80/tcp   open     http
110/tcp  open     pop3
143/tcp  open     imap
465/tcp  open     smtps
587/tcp  open     submission
993/tcp  open     imaps
995/tcp  open     pop3s
3306/tcp open     mysql
5666/tcp filtered nrpe
7000/tcp filtered afs3-fileserver

Too deep. υηκηοωη ιδεηեτγ remains as such. See you tomorrow.

PS another fun airplane traceroute today.

➜  ~ traceroute
traceroute to (, 64 hops max, 52 byte packets
 1 (  9.824 ms  2.049 ms  2.665 ms
 2  * * *
 3  * * *
 4  * * *
 5 (  725.002 ms  624.450 ms  600.828 ms
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14 (  918.353 ms  835.658 ms  865.845 ms
15 (  817.856 ms  822.151 ms  776.249 ms
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
31  * * *
32  * * *