Findings & Risks
Consolidated, prioritized list across both servers and all repositories. This is an audit — nothing here has been changed; these are recommendations.
3 Critical
5 High
5 Medium
4 Low
Critical
| # | Finding | Why it matters / recommendation |
|---|
| C1 |
Unaccounted-for backend host. The shipping mobile app calls https://hatch-social.cstmpanel.com, which is not one of the two servers you were given. |
This is where your live mobile users' data is flowing. You need access to it, its database, and its backups — or it's a single point of failure nobody controls. Find out who owns cstmpanel.com and get access. |
| C2 |
Laravel apps run with APP_DEBUG=true and APP_ENV=local on both api.hatch.social and dash.hatch.social. |
Debug mode exposes full stack traces, environment variables, DB credentials, and source paths to anyone who triggers an error. Set APP_DEBUG=false and APP_ENV=production, then php artisan config:cache. |
| C3 |
Database dumps committed to a web-served folder. public/hatch-social (16).sql and public/u610221546_hatch_social (2).sql live in the backend repo's public/. |
If deployed as-is they are downloadable over the web, and they sit in git history regardless. Remove them, scrub history (e.g. git filter-repo), and treat the data as potentially exposed. |
High
| # | Finding | Recommendation |
|---|
| H1 | Prior malware on production. A PHP backdoor (data.leuk.php, calling anggerishjxa.pages.dev/gong.php) was found on 2026-02-11. It is no longer present as of 2026-06-08. | Confirm the entry vector was closed. Audit WordPress admin users, scan for other web shells, and review access logs around February. The site was compromised once. |
| H2 | api.hatch.social points at a test database (hatch-social-test). | Either this endpoint is unused (the mobile app calls cstmpanel.com), or production traffic is hitting test data. Decommission it or point it at the correct DB — and clarify which API is authoritative. |
| H3 | MySQL listens on 0.0.0.0:3306 (and X-protocol 33060) on the production droplet. | Verify the DigitalOcean Cloud Firewall blocks 3306/33060 from the internet, or bind MySQL to localhost. |
| H4 | wp-file-manager plugin on hatch.social — a plugin with a history of critical RCE CVEs. | Update to the latest version or remove it if unused; it's a common compromise vector and the site has already been hit once. |
| H5 | Suspicious hatcg.zip (15 MB, misspelled "hatch") still sits in the WordPress web root. | Verify its origin/contents; if not a known-good backup, remove it. |
Medium
| # | Finding | Recommendation |
|---|
| M1 | Three duplicate mobile-app repos. HSF-Code, Hatch-Front-End-Code, and HSFE are the same app. | Make HSF-Code canonical; archive the other two so changes don't land in a dead copy. |
| M2 | 419 MB backend repo from committed storage/, public/, and 171 MB of user uploads. | Remove media/build artifacts from git; add them to .gitignore; serve uploads from object storage or the server filesystem. |
| M3 | Idle end-of-life PHP versions. PHP 7.1–7.4 FPM pools run on a 2 GB box despite no site using them. | Stop/disable unused PHP-FPM services to free memory (the box swaps at ~55%). |
| M4 | Production droplet is memory-constrained (1 vCPU / 2 GB, swap ~55%). | After pruning idle services, consider resizing if pressure remains. |
| M5 | "Backup" VM holds nothing. 206.189.206.251 is an empty default WordPress install serving no domain. | Repurpose as real staging or destroy it to stop paying for it. See Backup VM. |
Low
| # | Finding | Recommendation |
|---|
| L1 | iOS bundle identifier is the RN template default (org.reactjs.native.example.*). | Set a real bundle id (Android already uses com.hatchsocial) before App Store submission. |
| L2 | Cleartext FTP (ProFTPD, port 21) open on production. | Prefer SFTP over SSH; disable ProFTPD if unused. |
| L3 | WordPress version drift — 6.9.4 on hatch.social vs 6.9.1 on web.hatch.social. | Update both to the latest for consistency and security. |
| L4 | Stale copy dash.hatch.social1/ (654 MB) and leftover installer zips in WP plugin dirs. | Delete stale directories and installer archives from web roots. |
Suggested order of operations
- Turn off
APP_DEBUG on both Laravel apps (C2) — minutes of work, immediate risk reduction.
- Track down
hatch-social.cstmpanel.com and secure access to the real mobile backend + its database (C1).
- Purge the SQL dumps and uploads from git history (C3, M2); treat dumped data as exposed.
- Lock down MySQL (H3), confirm the malware vector is closed (H1), and patch/remove
wp-file-manager (H4).
- Consolidate repos (M1), prune idle services (M3), and decide the staging VM's fate (M5).