VisualShower own a few different domains. They seem to run their own mail servers.
They own the following domains:
- The company wiki requires nothing more than an email confirmation to register and login. This can easily be accomplished with nothing more than a simple proxy and a disposable email address service! A number of sensitive items can be seen from the QA Team's Google Play account logins + passwords to a number of employee's birthdays which a malicious user could incorporate into a social engineering attack.
- At least 4 instances of the
.gitfolder being included in the production release of subdomains. It's trivial for a user to view a list of branches or view deployment logs by piecing together contents from the.gitfolder. - The company GitLab instance requires nothing more than an email address to register. While it doesn't disclose any information due to everything being private, it is possible to view employee profiles and gather a sense of who works for the company. Perhaps a malicious individual could leverage this for use with social engineering attempts?
- There are a few seemingly abandoned software installations that don't hold much information but still require no credentials to view.
Below is a list of their subdomains and information about what their purpose is, what they serve and so on
gshower.net itself does not have any ports open, nor returns any packets.
The registrant is Hwang Ji Woong, on behalf of VisualShower Corp., whose email is jwhwang@visualshower.com.
There are no stored results in the Internet Archive.
| Port | Service |
|---|---|
| 80 | HTTP |
| 443 | HTTPS |
13.112.83.48 is home to a lone apache server that serves a blank index page over both http and https. I would assume that it's used for storing Beyond the Bounds: Season 1 assets as indicated by the name but that hasn't been confirmed yet.
The SSL cert is issued with the common name *.visualshower.com.
A robots.txt file exists which allows /webview/share and assets/images which may mean that this domain servers the promotional banners see inside Beyond The Bounds.
assets/images by itself produces a 403 Forbidden error which means it's likely a directory for storing, well, images.
webview/share generates the following PHP error:
A PHP Error was encountered
Severity: Warning
Message: Missing argument 1 for webview::share()
Filename: controllers/webview.php
Line Number: 615It also serves the title Facebook Friends.
| Port | Service |
|---|---|
| 80 | HTTP |
13.112.56.104 is home to a lone apache server that serves an error message purely via http. SSL is not available.
The error message is as follows:
A PHP Error was encountered
Severity: Warning
Message: session_start(): open(/var/www/html/btba-test//data/session/sess_kd2s701m6pivh39k81h12rlfq0, O_RDWR) failed: Permission denied (13)
Filename: helpers/session_helper.php
Line Number: 24Interestingly, it exposes the internal file structure, in that the site is serving from var/www/html/btba-test which is the default for most web servers anyway.
Visiting webview/share generates the same error as before on top of the following additional error:
A PHP Error was encountered
Severity: Warning
Message: Missing argument 1 for webview::share()
Filename: controllers/webview.php
Line Number: 615This subdomain reports all ports as filtered which may mean a firewall is deflecting all attempts to probe for ports.
I would have assumed this server contained assets for Blustone such as banners.
| Port | Service |
|---|---|
| 80 | HTTP -> 443 |
| 143 | IMAP |
| 443 | HTTPS -> 5000 |
| 465 | SSL/SMTP |
| 587 | SMTP |
| 993 | IMAPS |
| 1723 | PPTP* |
| 5000 | HTTPS -> 5001 |
| 5001 | Synology DSM |
| 5002 | RFE* |
| 5004 | SSH |
| 8080 | HTTP-Proxy* |
- = Purpose could not be confirmed. HTTP requests produced
ERR_SSL_PROTOCOL_ERROR.
The name here is a dead giveaway. 218.39.84.179 is primarily a mail server but it also performs a number of other functions here.
Visiting the domain via a browser presents the login page for a HELIOS Synology DiskStation 6.1. This "DiskStation Manager" interface ships with all Synology NAS products.
Thankfully, the default "admin" login has been disabled.
Visiting Port 80 redirects to Port 443 which redirects to Port 5001 and finally to Port 5001, serving an invalid certificate. The certificate is not truely invalid, although it is issued by StartCom who are discredited by Mozilla and Google.
The certificate has the Common Name devstudio.visualshower.com so we can assume these are the same server. It would appear to be using nginx as a reverse proxy to serve requests.
Chances are that this domain may not be configured properly and is serving traffic for devstudio as it may be considered the default.
Interesting enough, rather than using the default, this server provides SSH capability on Port 5002.
It also has an SSL cert with the CN ULTRA.devstudio.visualshower.com which is a non-existent domain as far as I am aware.
The root account is not disabled.
These are your standard secured and non-secured email ports. It seems the server runs an instance of Dovecot for mail services.
The secured ports serve an SSL certificate with the CN mail.visualshower.com.
| Port | Service |
|---|---|
| 80 | HTTP |
| 443 | HTTPS |
Visiting this subdomain presents a nice big 500 Internal Server Error as follows:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.
More information about this error may be available in the server error log.
Additionally, a 301 Moved Permanently error was encountered while trying to use an ErrorDocument to handle the request.
Similar to btba-prd, it has the same directory structure and error messages.
| Port | Service |
|---|---|
| 21 | FTP |
| 80 | HTTP |
This domain is home to VisualShower's main company Wordpress website. As such, an admin page can be found at /wp-admin and other assets are stored in /wp-includes/.
A sitemap can also be found at /sitemap.xml.gz.
This site, and the btb, bs and wi subdomains all render a 403 Forbidden when visting /.git/ which likely indicates that they're deployed upon updates to a master branch within their self-hosted GitLab instance.
The site can also be managed using the FTP protocol.
The registrant is Woo Suk Lee, on behalf of VisualShower Corp., whose email is tmt@visualshower.com.
| Port | Service |
|---|---|
| 80 | HTTP |
| 443 | HTTPS |
This subdomain serves as the promotional site for the mobile game Blustone.
The site is built using an open source PHP CMS called XpressEngine.
As mentioned in the entry for the root of the domain, it's deployed using Git and nmap is able to point out some interesting details about the repo:
Last commit message: prd commit
Remotes: http://git.vshower.com/spagetti/wi_brand_xe_gameshower.git
Project type: PHP application (guessed from .gitignore)
Mainly the remote is of interest as it confirms that the VS promo sites are indeed hosted out of their in-house GitLab instance, rather than just being an abandoned test install.
Amazon Cloudfront is used to speedup page delivery.
Despite both an HTTP and an HTTPS version of the page being served, clients are never forced to upgrade to HTTPS despite the fact that users are able to login.
Forums are also available starting at /en and are also generated using XpressEngine.
Unsurprisingly, the administration portal is located at /admin.
| Port | Service |
|---|---|
| 80 | HTTP |
| 443 | HTTPS |
This subdomain serves as the promotional site for the episodic mobile game Beyond The Bounds.
The findings are all largely similar to [bs.visualshower.com] above. The only proper difference is the skin over the CMS and the site content.
The last Git commit message was ignore naver seo file. with the remote and other details being identical. This would lead me to assume that the repo structure is something like this:
- /wi_brand_xe_gameshower
- /bs
- /btb
- /wi
Each site may be a subrepo that gets deployed as part of the larger wi_brand_xe_gameshower repo, with each subfolder being served to its respective domain name.
The default action for this site is to render the forums first, rather than the promo page.
Similarly, an admin portal is available at /admin.
As this subdomain points to the same IP address as mail.gshower.net, please refer above for results.
As this subdomain points to the same IP address as mail.gshower.net, please refer above for results.
This subdomain acts as a user registration page. It's generally used as the login form for the various forums, with a callback returning the user back to their originating domain.
As this subdomain points to the same IP address as mail.gshower.net, please refer above for results.
As this subdomain points to the same IP address as mail.gshower.net, please refer above for results.
This subdomain itself isn't used however it is home to a few fourth-level domains which stored game assets, most noticably event banners.
| Port | Service |
|---|---|
| 80 | HTTP |
| 443 | HTTPS |
This fourth-level domain acts as file storage essentially, with server response to snooping fans.
The most obvious place that this domain is referenced is in the source code for btb.visualshower.com which fetches its css and js content from here.
Sending a few requests confirmed that users are routed through a load balancer, indicating that it received a sizable number of requests from users game clients as expected.
| Port | Service |
|---|---|
| 80 | HTTP |
| 443 | HTTPS |
As this fourth-level domain carries out the same purpose as btb.static.visualshower.com, please refer above for results.
| Port | Service |
|---|---|
| 80 | HTTP |
| 443 | HTTPS |
As with bs.visualshower.com and btb.visualshower.com above, this subdomain is the promotional site for the episodic mobile game White Island.
The only proper difference is the skin over the CMS and the site content.
As above, all Git details were the same except for the last commit message which was add icon for NAVER client webview.
The admin panel can also be found in the usual spot at /admin.
This domain mainly acts as a shortcut for the longer visualshower.com domain name, and acts as an alias for a number of services shared with gshower.net.
The registrant is Jang Hyuk Lim, on behalf of VisualShower Corp., whose email is tmt@visualshower.com.
The root domain itself isn't assigned to an IP address, however it does have an MX record pointing to helios.mail.visualshower.com.
| Port | Service |
|---|---|
| 21 | FTP |
| 22 | SSH |
| 80 | HTTP |
| 135 | MSRPC |
| 443 | HTTPS |
| 2179 | VMRDP |
| 5000 | RDRCT |
| 8080 | RDRCT |
| 49153 | ??? |
| 49154 | ??? |
| 49163 | ??? |
| 55055 | ??? |
| 55056 | ??? |
This subdomain has quite a few open processes which you would expect for a server with dist(ribution) in the name, but ultimately, doesn't appear to do much from the outside.
OS estimation also believes it's a Windows Server, as evidenced by the MSRPC protocol on Port 135. Whether or not it truely does host that service is untested.
The above ports all redirect the user to http://dist.vshower.com/ota.
The /ota page has a login page requiring an ID and a password. It also displays the users operating system, browser and user agent string. It also outputs the user agent string, although it's commented out.
The OTA page may be linked to http://ota.visualshower.com although its purpose isn't confirmed. One could assume OTA stands for Over the air but that doesn't reveal much without knowing the context it's designed for.
It's unknown what the purpose of these port is. Visiting them in a browser starts to load something but the connection never times out nor receives anything.
These two ports returns no HTTP response nor can their purpose be identifed by nmap.
As this fourth-level domain points to the same IP address as mail.gshower.net, please refer above for results.
Helios is likely a reference to the Helios DSM system, rather than a mythological reference that VisualShower are usually fond of making.
| Port | Service |
|---|---|
| 21 | FTP |
| 80 | HTTP |
| 443 | HTTPS |
This subdomain acts as a shortcut for potential job applications and redirects the user to join-test.vshower.com/register_v2.
| Port | Service |
|---|---|
| 80 | HTTP |
| 443 | HTTPS |
This site acts as a portal for VisualShower job applicants.
Two versions of the login form exist, one at / and the other at /register_v2 which is the currently used form.
As this subdomain points to the same IP address as dist.gshower.net, please refer above for results.
| Port | Service |
|---|---|
| 80 | HTTP |
| 443 | HTTPS |
This subdomain contains the "VisualShower OTA.
Visiting the site displays an empty table with the headings "Download", "Project Code", "Build Date", "Version", "Platform", "Service Type", "Comments", "PermaLink" and "Alias" which prompts the assumption that it serves as a file storage of sorts.
Poking around in the bundled JS assets reveals an API endpoint at, well, /api which accepts a few variations such as /api/files. All attempts are unauthorised to non-registered users as one would hope.
| Port | Service |
|---|---|
| 21 | FTP |
| 22 | SSH |
| 80 | HTTP |
| 135 | MSRPC |
| 443 | HTTPS |
| 2179 | VMRDP |
| 5000 | UPNP |
| 8000 | Redmine |
| 8080 | HTTP |
| 49153 | ???? |
| 49154 | ???? |
| 49163 | ???? |
| 55055 | ???? |
| 55056 | ???? |
Interestingly, nothing but a simple HTML tag is rendered: <meta property="wb:webmaster" content="50ca26d2e4ae76a8" />.
Upon visiting the https:// version of the site, the browser warns that, as of writing, the certificate had expired on the 27th June, 2017.
This port hosts an instance of the Bitnami Redmine Stack which is a rails-based open source bug tracker.
Four projects are visible along with their descriptions and creation/modification timestamps.
Lantern (08/16/2013 11:00 am)
Lantern Earlgrey 포팅 프로젝트 (Porting Project)
WICT2 (08/13/2013 12:37 pm)
VisualShower 화이트 아일랜드 2 프로젝트! (White Island 2 Project)
VS (07/29/2013 11:46 pm)
VisualShower Common
LTCB (07/28/2013 10:05 pm)
VisualShower LTCB Project!
Each project contains its own activity page, calendar, news feed and wiki although they're all empty.
While debatably misconfigured, it's nothing more than abandoned installation that never gained much activity.
What little contents there is will be discussed each title's relevant discussion/research pages.
| Port | Service |
|---|---|
| 80 | HTTP |
Similar to pv-dev.vshower.com, this domain responds on Port 80 with a single meta tag.
No other ports are open
This domain hosts something called StoryCard. The only viewable page is that of a login/registration page.
It may be an in-house style product from a collaborator such as Naver? It runs off the same CMS used for VisualShower's other sites.
nmap also exists its remote which is http://git.vshower.com/spagetti/sc_vshower.git. The last commit message was change logo position.
| Port | Service |
|---|---|
| 80 | HTTP |
| 443 | HTTPS |
This one is a pretty clear cut case. It hosts a DokuWiki instance.
Alarmingly, nothing more than an email activation is required to access this wiki which does contain a number of company related articles.
Any rogue user can easily gain access to all of the articles it contains, from harmless "How to clean the coffee filter" style documentation to the QA accounts (with passwords!!) used for Google Play testing and deployment.