Vulnerability Scan Result

Target:

https://sys.yellowlettershop.com/ (redirect)

Scanned target: https://yellowlettershop.com/

Submitted: April 18, 2025 from TN

Public Scan

Scan mode: Passive (non-intrusive)

Summary

medium

Info

Low

Medium

High

Critical

Screenshot

Title:	The Yellow Letter Shop \| Direct Mail Marketing That Works!
Description:	No description found

IP Information

IP address	35.215.114.75
Country	US
AS number	AS15169
Net name	Google LLC

Open Ports

21/tcp	ftp	Pure-FTPd -
25/tcp	smtp	- -
80/tcp	http	nginx -
110/tcp	pop3	Dovecot pop3d -
143/tcp	imap	Dovecot imapd -
443/tcp	https	nginx -
465/tcp	smtp	- -
587/tcp	smtp	- -
993/tcp	imap	Dovecot imapd -
995/tcp	pop3	Dovecot pop3d -
3306/tcp	mysql	MySQL -
5432/tcp	postgresql	PostgreSQL DB 9.6.0 or later

Web Technologies

No technologies could be detected.

Web Application Vulnerabilities

No vulnerabilities were found.

Infrastructure Vulnerabilities

Evidence

We managed to detect a publicly accessible MySQL service.

PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL

Vulnerability description

We identified that the MySQL service is publicly accessible. MySQL serves as a common database for numerous web applications and services for data storage, making it a potential prime target for determined attackers.

Risk description

The risk exists that an attacker exploits this issue by launching a password-based attack on the MySQL service. Furthermore, they could exploit zero-day vulnerabilities to obtain remote access to the MySQL database server, thereby gaining complete control over its operating system and associated services. Such an attack could lead to the exposure of confidential or sensitive information.

Recommendation

We recommend turning off public Internet access to MySQL and opting for a Virtual Private Network (VPN) that enforces two-factor authentication (2FA). Avoid enabling direct user authentication to the MySQL service via the Internet, as this could enable attackers to engage in password-guessing and potentially initiate attacks leading to complete control. However, if the MySQL service is required to be directly accessible over the Internet, we recommend reconfiguring it to be accessible only from known IP addresses.

Evidence

We managed to detect a publicly accessible PostgreSQL service.

PORT STATE SERVICE VERSION
5432/tcp open postgresql PostgreSQL DB 9.6.0 or later

Vulnerability description

We found that the PostgreSQL service is publicly accessible. This service often holds critical organizational data, making it a potential prime target for determined attackers.

Risk description

The risk exists that an attacker exploits this issue by launching a password-based attack on the PostgreSQL service. If an attacker identifies a correct set of login details, they could gain access to the database and start enumerating, potentially revealing confidential information. Moreover, such vulnerabilities could lead to other forms of attacks, including privilege escalation, allowing attackers to run system commands and move laterally to other systems in the internal network.

Recommendation

We recommend ensuring that the PostgreSQL service is not publicly accessible. The PostgreSQL service should be safeguarded behind a firewall or made available only to users connected through a Virtual Private Network (VPN) server. However, if the PostgreSQL service is required to be directly accessible over the Internet, we recommend reconfiguring it such that it is accessible only from known IP addresses.

Evidence

We managed to detect a publicly accessible File Transfer Protocol (FTP) service.

PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd

Vulnerability description

We found that the File Transfer Protocol (FTP) service is publicly accessible. The FTP enables client systems to connect to upload and download files. Nonetheless, FTP lacks encryption for the data exchanged between the server and the client, leaving all transferred data exposed in plaintext.

Risk description

Exposing this service online can enable attackers to execute man-in-the-middle attacks, capturing sensitive user credentials and the contents of files because FTP operates without encryption. The entirety of the communication between the client and the server remains unsecured in plaintext. This acquired information could further facilitate additional attacks within the network.

Recommendation

We recommend turning off FTP access over the Internet and instead using a Virtual Private Network (VPN) that mandates two-factor authentication (2FA). If the FTP service is essential for business purposes, we recommend limiting access only from designated IP addresses using a firewall. Furthermore, utilizing SFTP (Secure File Transfer Protocol) is recommended as this protocol employs encryption to secure data transfers.

Evidence

We managed to detect a publicly accessible Post Office Protocol (POP3) service.

Starting Nmap ( https://nmap.org ) at 2025-04-19 00:37 EEST
Nmap scan report for sys.yellowlettershop.com (35.215.114.75)
Host is up (0.15s latency).
rDNS record for 35.215.114.75: 75.114.215.35.bc.googleusercontent.com

PORT    STATE SERVICE  VERSION
995/tcp open  ssl/pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN LOGIN) USER RESP-CODES UIDL AUTH-RESP-CODE TOP PIPELINING CAPA

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.40 seconds

Vulnerability description

We found that the Post Office Protocol (POP3) service is publicly accessible and doesn’t include STARTTLS capability. Email clients use the Post Office Protocol (POP) to download emails for user accounts. Some POP servers are initially set up to operate over an unsecured protocol. When email clients download email content through this plaintext protocol, it can pose a substantial risk to the organization's network, especially depending on which user account is set to receive the emails.

Risk description

Exposing this service online can enable attackers to conduct man-in-the-middle attacks, thereby gaining access to sensitive user credentials and the contents of emails. Given that POP3 operates via a plaintext protocol, the entirety of the data exchanged between the client and server is left unencrypted. This critical information could then be leveraged in further attacks on the organization's network.

Recommendation

We recommend turning off POP3 access over the Internet and instead using a Virtual Private Network (VPN) that mandates two-factor authentication (2FA). If the POP3 service is essential for business purposes, we recommend limiting access only from designated IP addresses using a firewall. Furthermore, activating STARTTLS capability (switching the connection to a secure communication) or utilizing Secure POP3 (POP3S) is recommended, as this protocol employs encryption.

Evidence

Domain Queried	DNS Record Type	Description	Value
sys.yellowlettershop.com	A	IPv4 address	35.215.114.75

Risk description

An initial step for an attacker aiming to learn about an organization involves conducting searches on its domain names to uncover DNS records associated with the organization. This strategy aims to amass comprehensive insights into the target domain, enabling the attacker to outline the organization's external digital landscape. This gathered intelligence may subsequently serve as a foundation for launching attacks, including those based on social engineering techniques. DNS records pointing to services or servers that are no longer in use can provide an attacker with an easy entry point into the network.

Recommendation

We recommend reviewing all DNS records associated with the domain and identifying and removing unused or obsolete records.

Evidence

Software / Version	Category
Nginx	Web servers, Reverse proxies

Vulnerability description

We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.

Risk description

The risk is that an attacker could use this information to mount specific attacks against the identified software type and version.

Recommendation

We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.

Evidence

Software / Version	Category
Nginx	Web servers, Reverse proxies

Vulnerability description

We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.

Risk description

The risk is that an attacker could use this information to mount specific attacks against the identified software type and version.

Recommendation

We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.