highPhishing

HOSTING///SEO Credential Phishing & Payment Fraud Platform

InvestigatedApril 3, 2026PublishedApril 3, 2026

Threat Actors:ProfileAssessment

credentialphishingsalmanvsfrataptcloudflareovhtor

TLP: WHITE Date: 2026-04-03 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime -- Credential Phishing / Payment Fraud / Domain Expiration Scam Source: @salmanvsf (Senior Security Researcher) Twitter intelligence lead

Executive Summary

A sophisticated, long-running credential phishing and payment fraud operation has been operating since at least May 2024, targeting organizations across Israel, Sri Lanka, South Korea, Latin America, Japan, Serbia, Saudi Arabia, Ecuador, Taiwan, Ukraine, and more. Internally branded "HOSTING///SEO" based on its consistent page title signature, this campaign operates from a single OVH VPS (57[.]128[.]228[.]145, vps-920c0b1b.vps.ovh.net) running Plesk Obsidian 18.0.76 with nginx and Postfix. The platform uses 11+ rotating phishing domains registered predominantly through NICENIC INTERNATIONAL GROUP CO., LIMITED (Hong Kong), all linked by a shared Cloudflare account (NS pair: isabel.ns.cloudflare.com / nikon.ns.cloudflare.com). The operation impersonates legitimate brands through wildcard subdomain phishing and hosts fake e-commerce checkout pages that steal payment credentials via an embedded PayPal SDK using client ID AS3CsnJh4pP09uP1G8exc1fLHmjRLiUSvtkwR0ta-sqNSVwTUCh6HlltvKS7V4TS89YfVy8Y5i1zDJaD. WHOIS data ties the infrastructure to RPSR s.r.o., a company registered in Kosice, Slovakia. A secondary FingerprintJS-based evasion node operates on globalssl[.]org (103[.]224[.]212[.]213).

Key Findings

11+ phishing domains identified sharing the same OVH backend server
Shared Cloudflare account links 5 domains via consistent NS pair
PayPal merchant SDK embedded in fake checkout pages -- operator's PayPal account identified
Exposed Plesk Obsidian 18.0.76 panel with Swagger API at globalssl[.]io
RPSR s.r.o. (Kosice, Slovakia) named as registrant organization
80+ URLscan observations documenting phishing against 25+ organizations globally
FingerprintJS browser fingerprinting used for anti-analysis evasion on secondary node
Campaign active since May 2024 -- nearly 2 years of continuous operation
Global targeting: Israel (primary, 8+ orgs), Sri Lanka, South Korea, Japan, Serbia, Saudi Arabia, Taiwan, Latin America, Ukraine

What Was Found vs. What Was Known

Aspect	Prior Reporting (@salmanvsf)	Our Findings
Domains	6 hosting-seo domains	11+ domains including globalssl family
Infrastructure	Domain names only	Full server (OVH VPS), Plesk panel, PayPal account
Victims	Unknown	25+ confirmed targeted organizations
Attribution	Unknown	RPSR s.r.o., Kosice, Slovakia
TTPs	Domain expiration scam	Payment fraud + credential phishing + FingerprintJS evasion
Duration	Jan 2025 snapshot	Active since May 2024 (continuous)

Attack Chain

Phase 1: DELIVERY
  Fake domain expiration email -> victim clicks renewal link
  OR
  Brand impersonation via wildcard subdomain: victim-brand.tld.phishing-domain.tld

Phase 2: REDIRECTION
  globalssl.org (FingerprintJS) -> browser fingerprint + UUID tracking
  OR
  Direct /checkout/[hex-session-id] link

Phase 3: CREDENTIAL HARVESTING
  Fake e-commerce checkout page (Vue.js + jQuery + PayPal SDK)
  Page title: "[victim-brand] | HOSTING///SEO"
  Embedded PayPal payment form with real merchant client ID
  Custom CSS from /less/ paths

Phase 4: CAPTURE CONFIRMATION
  Redirect to /track/[hex-session-id]
  Page title: "[domain-name] key-emoji" (key emoji = successful capture)

Phase 5: MONETIZATION
  Stolen payment credentials processed through operator's PayPal merchant account
  Stolen domain credentials used for further domain hijacking

Infrastructure Analysis

Primary Phishing Server

Attribute	Value
IP	57[.]128[.]228[.]145
Hostname	vps-920c0b1b.vps.ovh.net
Provider	OVH SAS (France)
Ports	21, 25, 53, 80, 106, 110, 143, 443, 993, 8443, 8880
Services	nginx, Postfix SMTP, DNS, FTP, IMAP/POP3
Control Panel	Plesk Obsidian 18.0.76 (EXPOSED at globalssl[.]io/login_up.php)
API	Swagger REST API at globalssl[.]io/api/v2 (200 OK)
TLS	Self-signed cert CN=vps-920c0b1b.vps.ovh.net (Let's Encrypt R12)
Status	LIVE

Secondary Evasion Node

Attribute	Value
IP	103[.]224[.]212[.]213
Hostname	lb-212-213.above.com
Provider	AboveDomains (shared hosting/parking)
TLS Certificate	CN=lnb.me (Let's Encrypt R13)
Evasion	FingerprintJS browser fingerprinting with UUID tracking
Status	LIVE

Domain Infrastructure

Domain	Registrar	Created	CF NS Pair	IP	Status
global-ssl[.]org	NICENIC	2024-05-19	isabel/nikon	N/A	clientHold
hosting-seo[.]top	NICENIC	2024-11-14	N/A	46[.]36[.]37[.]196	DNS UP, HTTP DOWN
hostingseo24[.]com	NICENIC	~2024-12	N/A	N/A	EXPIRED
hostingseo-24[.]com	NICENIC	2025-01-20	N/A	N/A	PENDING DELETE
hosting-seo-24[.]com	NICENIC	2025-03-07	isabel/nikon	N/A	clientHold
hosting-seo-24[.]org	NICENIC	2025-06-13	isabel/nikon	N/A	clientHold
globalssl[.]io	NICENIC	2025-08-03	isabel/nikon	57[.]128[.]228[.]145	LIVE
globalssl[.]org	Columbianames.com	2025-10-31	abovedomains	103[.]224[.]212[.]213	LIVE
hosting-seo[.]net	NICENIC	~2024	N/A	N/A	EXPIRED
hosting-seo[.]org	NICENIC	~2024	N/A	N/A	EXPIRED
seot[.]digital	Namecheap	unknown	registrar-servers	172[.]239[.]57[.]117	DNS LIVE

Registration Timeline

2024-05-19  global-ssl.org ---------- OLDEST (NICENIC)
2024-10-09  Kit CSS timestamps ------ Development phase
2024-11-14  hosting-seo.top --------- First operational domain
2024-12-??  hostingseo24.com -------- Expansion
2025-01-20  hostingseo-24.com ------- Variant
2025-03-07  hosting-seo-24.com ------ Variant
2025-06-13  hosting-seo-24.org ------ Variant
2025-08-03  globalssl.io ------------ Brand pivot to "GlobalSSL"
2025-10-31  globalssl.org ----------- Different registrar (diversification)
2026-03-27  Latest cert issuance ---- Still active

Shared Cloudflare Account

The NS pair isabel.ns.cloudflare.com / nikon.ns.cloudflare.com links these domains to a single Cloudflare account:

hosting-seo-24[.]com
hosting-seo-24[.]org
global-ssl[.]org
globalssl[.]io

Phishing Kit Technical Analysis

Stack

Backend: nginx on Plesk Obsidian 18.0.76
Frontend: Vue.js 2.6.11, jQuery 3.5.1, Font Awesome 5.15.1/4.7.0, Iconify 1.0.4
Payment: PayPal JavaScript SDK (live merchant integration)
Fonts: Google Fonts (Open Sans, Montserrat)
CSS: Custom compiled from /less/ paths with Unix timestamps
Evasion: FingerprintJS (on secondary node), UUID session tracking

PayPal Merchant Account (CRITICAL)

Client ID: AS3CsnJh4pP09uP1G8exc1fLHmjRLiUSvtkwR0ta-sqNSVwTUCh6HlltvKS7V4TS89YfVy8Y5i1zDJaD
Currency: USD
Intent: capture
Supported: PayPal, Visa, Mastercard, Amex, Maestro, Diners, CB Nationale
Environment: production

This is the operator's actual PayPal merchant account embedded in phishing checkout pages. All payments through these fake checkout pages are processed by this account.

URL Patterns

/checkout/[3-char-hex][unix-timestamp-hex][8-char-hex]  -- Phishing checkout page
/track/[same-session-id]                                 -- Credential capture confirmation
/stripe/checkout/[session-id]                            -- Stripe-themed variant
/less/[md5].1728466216.css                               -- Kit CSS (timestamp: Oct 9, 2024)
/image/0/[id].svg                                        -- Brand logos

Wildcard Subdomain Abuse

The kit uses wildcard DNS to create convincing subdomains:

victim-domain.tld.hostingseo-24.com -> phishing page
fcsport.co.il.hostingseo24.com
tanmiah-jubbah.sa.hostingseo-24.com
umalqura.sa.hostingseo-24.com
upss.edu.rs.hostingseo-24.com
shun-ching.com.tw.hostingseo-24.com
yuntakufukushi.co.jp.globalssl.org
amdnipro.org.ua.global-ssl.org

FingerprintJS Evasion (globalssl[.]org)

FingerprintJS.load({monitoring: false})
  .then(fp => fp.get())
  .then(result => {
    redirect('fp=' + result.visitorId);
  });

The secondary node fingerprints every visitor's browser before redirecting, allowing the operator to:

Block known security researcher browser profiles
Track individual visitors across sessions
Detect automated scanners and sandboxes

Victim Identification

Confirmed Phishing Targets (25+ organizations)

Organization	Country	Sector	Date	Evidence Type
shopee[.]kr	South Korea	E-commerce	2025-03-25	URLscan checkout
ourocean2025[.]kr	South Korea	Events/Marine	2025-04-02	URLscan checkout
honor[.]cl	Chile	Electronics	2024-12-01	URLscan checkout
honorstore[.]ec	Ecuador	Electronics	2024-12-02	URLscan checkout
ziporhanefesh[.]co[.]il	Israel	Unknown	2025-01-16	URLscan checkout
kstlaw[.]co[.]il	Israel	Legal	2025-01-09	URLscan checkout
shmuelh[.]org[.]il	Israel	Organization	2025-01-12	URLscan checkout
emoneylanka[.]lk	Sri Lanka	Finance	2025-01-09	URLscan checkout
clicktoinsure[.]lk	Sri Lanka	Insurance	2025-01-14	URLscan checkout
ay-adir[.]co[.]il	Israel	Unknown	2025-06-27	URLscan checkout
reline[.]co[.]il	Israel	Unknown	2025-06-17	URLscan checkout
fcsport[.]co[.]il	Israel	Sports	2025-01-17	Wildcard subdomain
value-finance[.]co[.]il	Israel	Finance	2025-02-19	Wildcard subdomain
beit-sefer-esther[.]com	Israel	Education	2025-02-14	Wildcard subdomain
luxembourg[.]co[.]il	Israel	Unknown	2025-02-10	Wildcard subdomain
913publishers[.]com	Israel	Publishing	2025-01-17	Wildcard subdomain
tanmiah-jubbah[.]sa	Saudi Arabia	Unknown	2025-03-01	Wildcard subdomain
umalqura[.]sa	Saudi Arabia	University	2025-02-27	Wildcard subdomain
upss[.]edu[.]rs	Serbia	Education	2025-03-01	Wildcard subdomain
prodajastanovazemun[.]rs	Serbia	Real Estate	2025-02-23	Wildcard subdomain
cctas[.]co[.]rs	Serbia	Unknown	2025-02-20	Wildcard subdomain
shun-ching[.]com[.]tw	Taiwan	Unknown	2025-02-21	Wildcard subdomain
jollywiz[.]com[.]tw	Taiwan	E-commerce	2025-02-21	Wildcard subdomain
arquitopltda[.]com	Latin America	Architecture	2025-02-23	Wildcard subdomain
datec24[.]ag	Antigua	Technology	2025-02-22	Wildcard subdomain
amdnipro[.]org[.]ua	Ukraine	Unknown	2025-07-25	Wildcard subdomain
yuntakufukushi[.]co[.]jp	Japan	Healthcare	2025-01-10	Wildcard subdomain

Geographic Targeting Distribution

Israel: 8+ targets (PRIMARY) -- law firms, schools, finance, sports, publishing
Sri Lanka: 2 targets -- insurance, finance
South Korea: 2 targets -- e-commerce, events
Serbia: 3 targets -- education, real estate
Taiwan: 2 targets -- commerce
Saudi Arabia: 2 targets -- education
Others: Chile, Ecuador, Japan, Ukraine, Antigua, Latin America

Threat Actor Profile

Attribution Assessment

Confidence: MEDIUM-HIGH
Entity: RPSR s.r.o., Kosice, Slovakia (named WHOIS registrant on globalssl[.]io)
Evidence:
1. WHOIS registrant "RPSR s.r.o." + State "Kosice" on globalssl[.]io
2. WHOIS State "Kosice" on hosting-seo[.]top (consistent)
3. All NICENIC registrations share same Cloudflare NS pair (single account)
4. Single OVH VPS hosts all active phishing operations
5. Consistent phishing kit signature ("HOSTING///SEO") across all domains
6. hosting-seo[.]top uses websupport.sk NS (Slovak hosting provider)
Motivation: Financial -- payment fraud via stolen PayPal credentials, domain credential theft
Sophistication: MODERATE-HIGH
- Custom phishing kit (Vue.js/PayPal integration)
- FingerprintJS anti-analysis evasion
- Wildcard subdomain abuse
- Domain rotation across 2 years
- Multiple registrar accounts (NICENIC primary, Columbianames/Namecheap secondary)
- Exposed Plesk panel is an OPSEC failure

OPSEC Failures

Exposed Plesk panel at globalssl[.]io with Swagger API
RPSR s.r.o. in WHOIS -- real company name exposed
Consistent Cloudflare NS pair linking domains across the fleet
PayPal merchant client ID embedded in page source -- directly ties to a financial account
OVH VPS hostname (vps-920c0b1b) consistent across certificate CN and Shodan
hosting-seo[.]top uses websupport.sk -- Slovak hosting provider correlating with Slovak registrant

MITRE ATT&CK Mapping

Tactic	Technique	ID	Application
Resource Development	Acquire Infrastructure: Domains	T1583.001	11+ rotating phishing domains
Resource Development	Acquire Infrastructure: Virtual Private Server	T1583.003	OVH VPS
Resource Development	Establish Accounts: Email Accounts	T1585.002	Postfix on phishing server
Initial Access	Phishing: Spearphishing Link	T1566.002	Domain expiration emails
Execution	User Execution: Malicious Link	T1204.001	Checkout page interaction
Credential Access	Input Capture: Web Portal Capture	T1056.003	Fake checkout forms
Collection	Browser Information Discovery	T1217	FingerprintJS visitor tracking
Defense Evasion	Domain Fronting	T1090.004	Cloudflare proxying
Defense Evasion	Indicator Removal: Domain Rotation	T1070	Regular domain registration

IOC Summary

Network Indicators

57[.]128[.]228[.]145    -- Primary phishing server (OVH)
103[.]224[.]212[.]213   -- FingerprintJS evasion node
46[.]36[.]37[.]196      -- Historical IP (websupport.sk)
172[.]239[.]57[.]117    -- seot[.]digital
172[.]234[.]24[.]211    -- seot[.]digital

Domain Indicators

hosting-seo[.]top
hostingseo24[.]com
hostingseo-24[.]com
hosting-seo-24[.]com
hosting-seo-24[.]org
hosting-seo[.]net
hosting-seo[.]org
global-ssl[.]org
globalssl[.]io
globalssl[.]org
seot[.]digital

URL Patterns

/checkout/[hex-session-id]
/track/[hex-session-id]
/stripe/checkout/[hex-session-id]
/less/[md5-hash].[unix-timestamp].css
/login_up.php (Plesk panel)
/api/v2 (Plesk Swagger API)

PayPal Indicators

Client-ID: AS3CsnJh4pP09uP1G8exc1fLHmjRLiUSvtkwR0ta-sqNSVwTUCh6HlltvKS7V4TS89YfVy8Y5i1zDJaD

TLS Certificate Indicators

CN=vps-920c0b1b.vps.ovh.net (server certificate)
CN=lnb.me (globalssl.org secondary node)
Issuer: Let's Encrypt (all domains)

Infrastructure Fingerprints

Cloudflare NS: isabel.ns.cloudflare.com / nikon.ns.cloudflare.com
Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED (IANA 3765)
Registrant: RPSR s.r.o., Kosice, Slovakia
Plesk build: 1800260323.18
Plesk revision: e8e2c68315eea5bad946fb74e75f6ea43315239f

Recommended Actions

Immediate (24-48 hours)

Block all listed domain and IP indicators at firewall/proxy/DNS level
Report PayPal client ID AS3CsnJh4pP09uP1G8exc1fLHmjRLiUSvtkwR0ta-sqNSVwTUCh6HlltvKS7V4TS89YfVy8Y5i1zDJaD to PayPal fraud team for merchant account suspension
Submit abuse report to OVH for 57[.]128[.]228[.]145
Submit abuse report to Cloudflare for the shared account
Notify all identified victim organizations

Short-term (1-2 weeks)

Monitor for new domain registrations matching hosting-seo/globalssl patterns at NICENIC
Investigate RPSR s.r.o. through Slovak business registry for operator identification
Submit IOCs to ThreatFox and URLhaus
Alert CERTs in affected countries (IL-CERT, LK-CERT, KR-CERT, JP-CERT, etc.)

Medium-term (1-3 months)

Monitor Cloudflare NS pair for new domain additions
Track OVH VPS for IP changes
Monitor crt.sh for new certificate issuances to .globalssl. patterns
Coordinate with PayPal for transaction records linked to merchant account

References

@salmanvsf Twitter: hxxps://x[.]com/salmanvsf/status/1881270017804968182
@salmanvsf Twitter: hxxps://x[.]com/salmanvsf/status/1904430026558443999
URLscan IP results: hxxps://urlscan[.]io/search/#ip:57.128.228.145
Plesk Obsidian documentation: hxxps://docs[.]plesk[.]com/

Addendum: Plesk REST API Deep Enumeration (2026-04-02)

Analyst: GHOST (Breakglass Intelligence) Date: 2026-04-02 Scope: Inventory-only enumeration of exposed Plesk Obsidian 18.0.76 REST API at 57.128.228.145:8443

Executive Summary

The Plesk Obsidian panel at 57[.]128[.]228[.]145:8443 exposed its full REST API specification (OpenAPI 3.0.3) and WP Toolkit API specification without authentication. While the API data endpoints properly enforce authentication (returning 401), the exposure of the complete API specifications, phpMyAdmin interface, and Swagger UI documentation constitutes a significant information disclosure that maps the entire server management attack surface. During enumeration, port 8443 and 443 went offline (likely operator intervention or Plesk crash), while port 80 remained active serving the default Plesk page.

TLS Certificate Analysis

Certificate on port 8443:

Field	Value
Subject CN	`vps-920c0b1b.vps.ovh.net`
Issuer	Let's Encrypt R12
Serial	`05:f7:8c:0e:e5:fe:e1:b3:42:15:02:56:c7:86:3e:2b:9e:0e`
Not Before	2026-03-05 06:50:40 UTC
Not After	2026-06-03 06:50:39 UTC
SANs	DNS:vps-920c0b1b.vps.ovh.net
Key	RSA 2048-bit

Key Finding: The certificate is issued only to the OVH default VPS hostname (vps-920c0b1b.vps.ovh.net), NOT to any of the phishing domains. This confirms:

The operator configured Let's Encrypt auto-renewal via Plesk for the panel only
Phishing domains use separate Cloudflare-proxied certificates
The VPS identifier 920c0b1b is a permanent OVH infrastructure fingerprint

crt.sh Results: Only 2 certificate entries found (precert + leaf), both for the same cert issued 2026-03-05. No prior certificates, indicating this VPS was provisioned on or shortly before March 5, 2026.

OpenAPI Specification Analysis

Specification saved to: plesk-openapi.json (106,051 bytes)

Authentication Schemes

The API supports two authentication methods:

HTTP Basic Auth (BasicAuth): Standard username/password
API Key Header (APIKeyHeader): Custom header X-API-Key

All endpoints inherit global security requiring one of these methods.

Complete API Endpoint Inventory (32 endpoints)

Authentication Management:

Method	Path	Purpose	Risk
POST	/auth/keys	Generate API secret key	CRITICAL if accessible without auth
DELETE	/auth/keys/{key}	Revoke API key	High

Server Management:

Method	Path	Purpose	Risk
GET	/server	Server metadata (version, hostname, GUID)	High — fingerprinting
GET	/server/ips	List all server IPs	High — infra mapping
POST	/server/init	Initialize server	CRITICAL — could reset admin
POST	/server/license	License management	Medium

Client Management:

Method	Path	Purpose	Risk
GET	/clients	List all clients	High — victim enumeration
POST	/clients	Create client account	Critical
GET	/clients/{id}	Client details	High
PUT	/clients/{id}	Modify client	Critical
DELETE	/clients/{id}	Delete client	Critical
PUT	/clients/{id}/activate	Activate client	High
PUT	/clients/{id}/suspend	Suspend client	High
GET	/clients/{id}/domains	Client domain list	High
GET	/clients/{id}/statistics	Client usage stats	Medium

Domain Management:

Method	Path	Purpose	Risk
GET	/domains	List all hosted domains	CRITICAL — reveals all phishing domains
POST	/domains	Create domain	Critical
GET	/domains/{id}	Domain details	High
PUT	/domains/{id}	Modify domain	Critical
DELETE	/domains/{id}	Delete domain	Critical
GET	/domains/{id}/client	Domain owner	High
GET	/domains/{id}/status	Domain status	Medium
PUT	/domains/{id}/status	Change domain status	High

Database Management:

Method	Path	Purpose	Risk
GET	/databases	List all databases	High — reveals phishing kit DBs
POST	/databases	Create database	High
DELETE	/databases/{id}	Delete database	Critical
GET	/dbservers	Database server info	Medium
GET	/dbusers	List DB users	High
POST	/dbusers	Create DB user	High
DELETE	/dbusers/{id}	Delete DB user	High
PUT	/dbusers/{id}	Modify DB user	High

DNS Management:

Method	Path	Purpose	Risk
GET	/dns/records	List all DNS records	High
POST	/dns/records	Create DNS record	High
GET	/dns/records/{id}	DNS record detail	Medium
PUT	/dns/records/{id}	Modify DNS record	High
DELETE	/dns/records/{id}	Delete DNS record	High

CLI Execution:

Method	Path	Purpose	Risk
GET	/cli/commands	List available CLI commands	High — attack surface mapping
POST	/cli/{id}/call	Execute CLI command	CRITICAL — remote code execution
GET	/cli/{id}/ref	CLI command reference	Medium

Other:

Method	Path	Purpose	Risk
GET	/extensions	List installed extensions	Medium
POST	/extensions	Install extension	Critical
DELETE	/extensions/{id}	Remove extension	High
PUT	/extensions/{id}/disable	Disable extension	High
PUT	/extensions/{id}/enable	Enable extension	High
GET	/ftpusers	List FTP accounts	High
POST	/ftpusers	Create FTP user	High
DELETE	/ftpusers/{name}	Delete FTP user	High
PUT	/ftpusers/{name}	Modify FTP user	High

Critical Endpoint: POST /auth/keys

This endpoint accepts a SecretKeyRequest object:

{
  "ip": "string (IP restriction)",
  "ips": "array (IP restrictions)",
  "login": "string (Plesk login)",
  "description": "string"
}

Returns a SecretKeyResponse:

{
  "key": "string (the generated API key)"
}

Assessment: If this endpoint were accessible without authentication (which we could not confirm due to server going offline during testing -- HTTP 000 returned), an attacker could generate an unrestricted API key, gaining full administrative control over the Plesk instance, all hosted domains, databases, and CLI execution.

Test results before server went offline:

Empty API key header: 401 (properly rejected)
Default keys (admin, plesk, password, test): 401 (properly rejected)
Basic auth admin:admin: 401 (properly rejected)
Basic auth admin:password: HTTP 000 (connection reset/server went offline)
POST /auth/keys without auth: HTTP 000 (server already offline)
POST /auth/keys with empty body: HTTP 000 (server already offline)

Critical Endpoint: POST /cli/{id}/call

Accepts CliCallRequest:

{
  "params": "object (command parameters)",
  "env": "object (environment variables)"
}

Assessment: This endpoint provides remote command execution capability on the server. If authenticated, an attacker could execute arbitrary Plesk CLI commands, potentially escalating to OS-level command execution.

Critical Endpoint: POST /server/init

Accepts ServerInit:

{
  "admin": { "name", "email", "company", "phone", etc. },
  "password": "string",
  "server_name": "string"
}

Assessment: Server initialization endpoint. On an already-initialized server, this likely returns an error. However, if accessible without authentication on an uninitialized Plesk instance, it would allow setting the admin password.

Data Schema Intelligence

The OpenAPI spec reveals the exact data structures for all objects, useful for understanding what data the operator manages:

Client schema: id, name, company, login, status, email, locale, GUID, owner_login, external_id
Domain schema: id, name, ascii_name, hosting_type, base_domain_id, www_root, GUID, created, aliases
Database schema: id, name, type, parent_domain, server_id, default_user_id
Server metadata: platform, hostname, GUID, panel_version, panel_revision, build_date, update_version
FTP users: id, name, home directory, quota, permissions, parent_domain

WP Toolkit API Specification

Specification saved to: wp-toolkit-spec.json (506,751 bytes — nearly 500KB)

The WP Toolkit API exposes 77 endpoints for managing WordPress installations, including:

High-Risk Endpoints:

Category	Endpoints	Risk
WordPress Installation Management	GET/POST /v1/installations	Lists all WP sites, can create new ones
WP Admin Login	POST /v1/installations/{id}/login	Auto-login to any WordPress admin
WP Credentials	GET /v1/installations/{id}/credentials	Retrieve WP admin credentials
WP Account Modification	PATCH /v1/installations/{id}/account	Change WP admin password
Plugin Management	GET/POST/DELETE /v1/installations/{id}/plugins	Full plugin control
Theme Management	GET/POST/DELETE /v1/installations/{id}/themes	Full theme control
Backup Management	GET/DELETE /v1/installations/{id}/backups	Access/delete WP backups
Clone Sites	POST /v1/cloner	Clone WordPress installations
Debug Settings	PATCH /v1/installations/{id}/features/debug/settings	Enable WP debug mode
Security Measures	GET /v1/security-measures	View security posture
Vulnerability Checker	GET /v1/vulnerabilities-checker	List known vulnerabilities
License Info	GET /v1/license-info	Plesk license details

Key Finding: The /v1/installations/{id}/credentials endpoint would return WordPress admin credentials in plaintext. Combined with /v1/installations/{id}/login, an authenticated API user could auto-login to any WordPress installation on the server without knowing the WP password.

Exposed Web Paths

Path	Status	Size	Assessment
`/` (port 80)	200	Default Plesk page	Confirms Plesk + WebPros International GmbH
`/login_up.php`	200	91,402 bytes	Plesk login panel — EXPOSED
`/phpmyadmin/`	200	18,572 bytes	phpMyAdmin — EXPOSED (database management)
`/admin/`	303	Redirect	Redirects (likely to login)
`/smb/`	303	Redirect	Redirects (likely to login)
`/modules/`	403	980 bytes	Forbidden but exists — confirms module directory
`/robots.txt`	200	26 bytes	Exists
`/favicon.ico`	200	4,286 bytes	Plesk favicon
`/webmail/`	404	Not found	Webmail not configured
`/file-manager/`	404	Not found
`/.env`	404	Not found
`/.git/HEAD`	404	Not found
`/api/v2/`	200*	Swagger UI	Full API documentation exposed

API Authentication Test Results

Test	Endpoint	Result	Assessment
No auth	GET /server	401	Properly rejected
No auth	GET /server/ips	401	Properly rejected
No auth	GET /clients	401	Properly rejected
No auth	GET /domains	401	Properly rejected
No auth	GET /extensions	401	Properly rejected
No auth	GET /databases	401	Properly rejected
No auth	GET /ftpusers	401	Properly rejected
No auth	GET /cli/commands	401	Properly rejected
Empty X-API-Key	GET /server	401	Properly rejected
X-API-Key: admin	GET /server	401	Properly rejected
X-API-Key: plesk	GET /server	401	Properly rejected
X-API-Key: password	GET /server	401	Properly rejected
X-API-Key: test	GET /server	401	Properly rejected
Basic admin:admin	GET /server	401	Properly rejected
Basic admin:password	GET /server	000	Server went offline
No auth	POST /auth/keys	000	Server already offline
No auth + empty body	POST /auth/keys	000	Server already offline

Non-existent endpoints (404): /server/settings, /server/statistics, /server/sessions, /server/admins, /subscriptions, /webspaces, /mail, /reseller-plans, /service-plans

Server Status Timeline

Time (UTC)	Event
~15:00	Initial probing begins — all endpoints responding normally
~15:03	GET endpoint enumeration complete — all returning 401 as expected
~15:04	Default credential testing begins
~15:05	Basic auth admin:password test — HTTP 000 (connection reset)
~15:05	POST /auth/keys tests — HTTP 000 (server offline)
~15:06+	Port 8443 and 443 completely unresponsive
~15:06+	Port 80 still serving default Plesk page
~15:10+	Final recheck — 8443 still down

Assessment: The timing strongly suggests either:

Operator intervention: The actor noticed the probing (possibly via Plesk access logs or fail2ban) and shut down or firewalled the Plesk panel
Plesk crash: The rapid succession of auth attempts may have triggered a crash or rate limit lockout
Automated firewall: Plesk has built-in fail2ban integration that can block IPs after repeated failed auth attempts

The fact that port 80 (Apache default page) remained up while 8443 (Plesk panel) and 443 (HTTPS) went down suggests this was specifically the Plesk service being stopped or firewalled, not a full server reboot.

Risk Assessment

CRITICAL findings:

Full API specification exposed (106KB OpenAPI + 507KB WP Toolkit) — provides complete attack surface documentation to any attacker
phpMyAdmin publicly accessible — database management interface exposed to the internet
Swagger UI publicly accessible — interactive API testing tool available to anyone
POST /auth/keys endpoint exists — if auth bypass is found, attacker can mint API keys
POST /cli/{id}/call endpoint exists — authenticated RCE capability via Plesk CLI
WP Toolkit credential endpoint — plaintext WP admin credentials retrievable via API

HIGH findings:

login_up.php exposed — Plesk login panel accessible for brute-force attacks
77 WP Toolkit endpoints — extensive WordPress management API surface
DNS management API — could be used to redirect domains to attacker infrastructure
FTP user management — could create backdoor FTP accounts
Server metadata endpoint — version, GUID, hostname disclosure

MEDIUM findings:

OVH VPS hostname leaked via TLS cert — vps-920c0b1b.vps.ovh.net
Certificate issued 2026-03-05 — server provisioned approximately 4 weeks ago
Default Plesk page on port 80 — confirms panel identity and version
modules/ directory returns 403 — directory exists but is properly restricted

Indicators of Compromise (Addendum)

Infrastructure:

VPS hostname: vps-920c0b1b[.]vps[.]ovh[.]net
TLS serial: 05f78c0ee5fee1b342150256c7863e2b9e0e
Plesk version: Obsidian 18.0.76 (from prior analysis)
Certificate issuer: Let's Encrypt R12
Certificate issued: 2026-03-05 (VPS provisioning date)

Exposed Services:

hxxps://57[.]128[.]228[.]145:8443/api/v2/ — Swagger UI (currently offline)
hxxps://57[.]128[.]228[.]145:8443/api/v2/openapi.json — Full API spec
hxxps://57[.]128[.]228[.]145:8443/api/modules/wp-toolkit/v1/specification/public — WP Toolkit spec
hxxps://57[.]128[.]228[.]145:8443/phpmyadmin/ — phpMyAdmin
hxxps://57[.]128[.]228[.]145:8443/login_up.php — Plesk login panel
hxxp://57[.]128[.]228[.]145/ — Default Plesk page (still live)

Recommendations (Addendum)

For blog post / CERT notification:

The exposed API specs should be included as evidence of operator negligence — they left the complete Plesk management API documentation publicly accessible
The phpMyAdmin exposure means any credential breach (phishing kit credentials, WordPress credentials) could be leveraged for database access
The WP Toolkit credential endpoint (/v1/installations/{id}/credentials) is particularly dangerous — it returns WordPress admin passwords in plaintext via API
The POST /auth/keys endpoint represents the highest risk — API key generation could provide full server takeover if an auth bypass is discovered
The server going offline during our enumeration suggests the operator IS monitoring and may rotate infrastructure soon — accelerate CERT notifications

For OVH abuse report:

The VPS identifier 920c0b1b and hostname should be included in the abuse report
The server hosts credential phishing infrastructure with exposed management panels
The API spec dump proves the server is configured as a phishing operations platform with multiple domains and WordPress installations

Files produced by this addendum:

/home/ghost/investigations/credential-phishing-salmanvsf/plesk-openapi.json — Full Plesk REST API specification (106,051 bytes)
/home/ghost/investigations/credential-phishing-salmanvsf/wp-toolkit-spec.json — Full WP Toolkit API specification (506,751 bytes)