Production Server
ssh root@161.35.191.47 — the live droplet running everything except the mobile API.
System overview
| OS | Ubuntu 22.04.5 LTS (Jammy) · kernel 5.15.0-164 |
|---|---|
| Sizing | 1 vCPU · 1.9 GB RAM · 2 GB swap (~55% used — memory-constrained) · 49 GB disk (57% used) |
| Public IP | 161.35.191.47 · private 10.17.0.6 / 10.108.0.4 |
| Control panel | CloudPanel 2.5.3 at https://161.35.191.47:8443 (user clp, SQLite at /home/clp/htdocs/app/data/db.sq3) |
Request pipeline
Client → Nginx (80/443) → Varnish (6081) → Nginx (8080) → PHP-FPM| Service | Version | Port | Scope |
|---|---|---|---|
| Nginx | 1.21.4 (CloudPanel) + system 1.24 | 80 / 443 / 8080 | Public |
| Varnish | 7.1.1 | 6081 | Public |
| Redis | 6.0.16 | 6379 | Localhost |
| Memcached | 1.6.14 | 11211 | Localhost |
| MySQL | 8.0.44 | 3306 / 33060 | listens on 0.0.0.0 |
| Postfix | — | 25 | Outbound SMTP |
| ProFTPD | — | 21 | cleartext FTP, public |
Virtual hosts
| Domain | Type | PHP | Webroot | Disk |
|---|---|---|---|---|
hatch.social | WordPress 6.9.4 | 8.3 | /home/hatch/htdocs/hatch.social | 7.7 GB |
www / www1.hatch.social | Redirect / alias | — | same | — |
web.hatch.social | WordPress 6.9.1 | 8.0 | /home/hatch-web/htdocs/web.hatch.social | 2.5 GB |
api.hatch.social | Laravel 9 API | 8.5 | /home/hatch-api/htdocs/api.hatch.social | 316 MB |
dash.hatch.social | Laravel 9 Dashboard | 8.4 | /home/hatch-dash/htdocs/dash.hatch.social | 1.4 GB |
TLS uses custom certificates in /etc/nginx/ssl-certificates/. The hatch.social nginx config blocks two IPs (49.13.130.29, 52.59.43.236).
The two Laravel apps (verified 2026-06-08)
| api.hatch.social | dash.hatch.social | |
|---|---|---|
| APP_ENV | local should be production | local should be production |
| APP_DEBUG | true leaks stack traces | true leaks stack traces |
| DB_HOST | localhost:3306 | DO Managed MySQL …ondigitalocean.com:25060 |
| DB_DATABASE | hatch-social-test test data | hatch-social (production) |
The API vhost on this droplet points at a test database — and the live mobile app doesn't call this host at all (it calls hatch-social.cstmpanel.com). It's unclear whether api.hatch.social is actually used in production or is a leftover staging endpoint.
WordPress detail — hatch.social
- DB:
hatch(MySQL, localhost) · table prefixuDFnVS0xv_ - Theme: OceanWP + OceanWP child · Builder: Elementor Pro
- Forms / marketing: FluentForm Pro, Gravity Forms (+ MailerLite, Webhooks), a custom referral-code system, Make/Integromat connector, MailerLite
- Performance: NitroPack, HTTP/3 cache engine, Cloudflare plugin
- wp-file-manager plugin present — historically a high-severity CVE target
PHP-FPM versions running
CloudPanel runs every PHP version 7.1 → 8.5 simultaneously. Only 8.0, 8.3, 8.4, 8.5 are assigned to sites; 7.1–7.4 are end-of-life and sitting idle, consuming memory on a 2 GB box.
Backups & cron
CloudPanel manages all cron from /etc/cron.d/clp: daily DB backup (7-day retention, 03:15), daily full app backup (keeps 3, 04:15), Let's Encrypt renewal, Cloudflare IP updates, session cleanup. Backups live under /home/clp/backups (1.1 GB) and per-site backups/ folders.
Security items found on this host
| Item | Status as of 2026-06-08 |
|---|---|
PHP backdoor data.leuk.php (calls anggerishjxa.pages.dev/gong.php) | no longer present — was flagged 2026-02-11; verify how it got there and whether other shells remain |
Suspicious hatcg.zip (15 MB, typo of "hatch") in WP root | still present (dated Feb 6) — verify legitimacy or remove |
MySQL on 0.0.0.0:3306 + X-protocol 33060 | Verify DigitalOcean Cloud Firewall blocks external access |
APP_DEBUG=true on both Laravel apps | confirmed live |
Full prioritized list on the Findings & Risks page.
hatch-vm.md and re-verified with live read-only SSH on 2026-06-08.