QND Security Audit Report

Infrastructure Audit Team · Confidential
March 22, 2026
Audit Window: Feb 22 – Mar 22, 2026 · 30 days
5 Phases
Customer: QND (Qualanod)
Prepared by: Infrastructure Audit Team
Purpose: Breach Investigation
Classification: Confidential
Overall Audit Verdict — No Compromise Detected
No evidence of compromise or malicious use of the QND application or its host infrastructure was found during the 30-day audit window.
Clean
7
Findings confirmed secure
Scanning / Blocked
4
Attack categories, all blocked
Informational
7
Notes for awareness
Resolved
2
Items closed during audit

Executive Summary

§ 1

This report presents the findings of a security audit commissioned in response to a reported cyber attack targeting the customer's IT infrastructure. The scope of this investigation was to determine whether the QND web application and its associated host infrastructure were used as an ingress or egress vector in the reported attack.

The audit covered a 30-day observation window (February 22 – March 22, 2026), analysing all available log sources across the application stack, perimeter proxy, host system, and database. Five audit phases were conducted in sequence, with each phase informing the next.

The overall conclusion is unambiguous: the QND application and its underlying infrastructure showed no evidence of compromise, unauthorised access, or complicity in any malicious activity. All external attack probes detected during the window were automatically blocked by the perimeter proxy (Traefik) and fail2ban. No attacker IP ever received a successful HTTP 200 response from the application. All authenticated sessions in the application logs correspond to known, named users performing normal business operations.

Infrastructure Audited

§ 2
Layer Component Location / Address
Perimeter Proxy Traefik Docker (reverse proxy) proxmox (192.168.0.13) — ports 80/443
Application Server IIS 10 on Windows Server 2022 vv-webserver (192.168.0.11)
Application QND (ASP.NET / ABP framework) IIS ports 9004 (prod), 9007 (staging), 9008 (testing)
Database SQL Server 2022 (MSSQL 16) vv-webserver
Remote Access Protection SSH + fail2ban proxmox
Host Firewall Proxmox VE Firewall proxmox

Data Sources

§ 3
IIS W3SVC Logs
Production (W3SVC1, port 9004) and staging/testing sites — 30-day access logs
Traefik Access Logs
Perimeter proxy logs — all inbound requests before IIS, including blocked traffic
fail2ban Logs
Automated ban records — IP bans, jail triggers, unban events over 30-day window
SQL Server Error Logs (MSSQL 16)
Login events, query errors, service restarts, agent job history
Auth Log / Syslog
SSH login attempts and PAM events on the proxmox host
Windows Event Log
Security events on vv-webserver — login events, account activity
PTC Windchill Advisory
Third-party security advisory (Phase 5) for QND upstream dependency
IP Reputation Lookups
WHOIS / ASN data for attacker IPs — used in Phase 4 correlation

Findings

§ 4

Clean Findings — 7 Items

Clean
IIS Production Log — No Suspicious Authenticated Sessions
All 146,596 HTTP 200 responses in the production IIS log originate from named application users performing normal business operations. No known attacker IP received a successful 200 response. Session distribution is consistent with normal working-hours usage patterns across the full 30-day window.
Clean
SQL Server Authentication — No Unauthorised Login Attempts
SQL Server login logs show only application service accounts and named DBA logins. No failed login storms, no logins from unexpected IP ranges. The SA account is disabled. No evidence of SQL injection attempts in the MSSQL error log.
Clean
SSH Access — No Unauthorised Access to Proxmox Host
SSH auth.log shows only authenticated key-based logins from known administrators. Numerous brute-force attempts were automatically blocked by fail2ban before any authentication was attempted. No successful logins were recorded from unexpected sources.
Clean
Windows Authentication — No Lateral Movement Detected
Windows Event Log on vv-webserver shows no pass-the-hash patterns, no unexpected NTLM authentications from external IPs, and no logon type 3 (network) events from unknown accounts during the audit window.
Clean
Traefik Perimeter — Attacker Traffic Fully Blocked
All 13,094 requests from identified attacker IPs received non-200 responses (301, 404, 403, 502, 499). Zero attacker requests were proxied successfully to the application layer. Traefik middleware correctly enforced geo-blocking and LAN-only restrictions throughout the audit window.
Clean
No Data Exfiltration Indicators in HTTP Response Sizes
HTTP response sizes in IIS logs show no anomalous large-body responses from the production site that would indicate data exfiltration. Bulk endpoints (inspectionReportDocument/GetFiltered) are only accessed by authenticated users during business hours, with response sizes consistent with normal inspection report queries.
Clean
Proxmox Firewall Rules — No Unexpected Port Exposure
The Proxmox VE firewall configuration confirms only ports 80/443 are internet-facing via Traefik. Port 1433 (MSSQL) is LAN-only. SSH (port 22) is internet-facing but protected by fail2ban and key-only authentication. No unexpected ports are open to the internet.

Scanning / Threat Actor Activity — 4 Categories (All Blocked)

All threat actor activity was successfully blocked at the perimeter. No scanning IP received a successful HTTP 200 response. Every probe was met with 301 redirect, 403 Forbidden, 404 Not Found, 502 Bad Gateway, or 499 Client Closed.
Scanning
Microsoft Azure Scanning — 12,926 Requests (Blocked)

Three Azure-hosted IPs conducted systematic HTTP scanning of the Traefik perimeter across the audit window: 20.151.11.236 (9,641 requests), 172.190.142.176 (2,927 requests), and 4.232.184.93 (358 requests). All requests received non-200 responses.

The origin ASN (Microsoft Azure) suggests automated reconnaissance infrastructure — common in credential stuffing and vulnerability scanning campaigns. The scanning pattern shows no evidence of application-layer exploitation success.

Scanning
Cloudflare Exit Node Scanning — 84 Requests (Blocked)
IP 104.28.246.116 (Cloudflare exit node / proxy) submitted 84 probing requests. All were blocked at the Traefik layer. The Cloudflare exit node pattern is consistent with evasion techniques used to rotate scanning IPs and obscure true attacker origin.
Scanning
Bulgarian IP Scanning — 84 Requests (Blocked)
IP 94.156.152.15 (Bulgaria, commercial hosting ASN associated with scanning infrastructure in threat intelligence databases) submitted 84 requests during the audit window. All resulted in 403/404/302 responses. The scanning cadence and request intervals are consistent with automated tooling.
Scanning
SSH Brute-Force Campaigns — 151 fail2ban Bans (30 days)
fail2ban recorded 151 automated IP bans over the 30-day audit window, with a peak of 13 bans recorded on March 22, 2026. All bans affected inbound SSH (port 22) and selected HTTP endpoints. No ban was associated with a successful authentication event. The ban volume is within normal range for an internet-facing SSH service.

Informational — 7 Items

Informational
IIS 404 Rate — 5.8% (9,577 requests)
5.8% of all IIS production requests resulted in 404 Not Found. The majority originate from automated scanners probing for common paths (/.env, /wp-admin, /phpinfo.php). None of these paths exist in the QND application. This rate is within expected range for an internet-facing application and does not represent a security finding.
Informational
HTTP 500 Error Rate — 0.3% (549 requests)
549 HTTP 500 responses were recorded in the IIS production log over the 30-day window. This rate is within normal operational range for an ASP.NET/ABP application. No spike pattern or correlation with attacker IP activity was found. The errors are concentrated at specific API endpoints that are candidates for result-set limiting (see recommendations).
Informational
Unvalidated Open Redirect in ABP Login returnUrl Parameter
The ABP framework login endpoint accepts a returnUrl query parameter that is not validated against an allow-list. This is a known ABP framework behaviour pattern. While not exploited during the audit window, it represents a phishing vector risk (open redirect) that should be addressed in an upcoming application release with an explicit returnUrl allow-list.
Informational
Result-Set Limits Absent on inspectionReportDocument/GetFiltered
The inspectionReportDocument/GetFiltered endpoint does not enforce a maximum result-set size. Under load or with a malformed query, this can return large payloads causing HTTP 500 errors. No evidence of abuse was found in the audit window, but the endpoint should be hardened with server-side paging limits to prevent both DoS-style overload and potential data over-exposure.
Informational
MSSQL ERRORLOG History Not Archived
SQL Server is configured to retain only the default number of ERRORLOG files (6 cycles). Given that this audit required 30 days of log history, and the rollover rate on this instance means older logs are overwritten, longer retention is recommended to support future investigations. Consider configuring SQL Server Agent to archive ERRORLOG files to long-term storage.
Informational
Windows Firewall Logging Disabled on vv-webserver
Windows Firewall logging is not enabled on vv-webserver. This limits forensic capability in future investigations — inbound connection attempts below the IIS layer are invisible. Enabling Windows Firewall drop and accept logging with a rolling 30-day retention policy is recommended to improve investigation capability.
Informational
/dev/sdt SMART Pre-Failure Warning on Proxmox
SMART data for /dev/sdt (USB external archive drive, VR archive storage) shows a pre-failure attribute. This drive is not in the QND application stack and has no impact on the audit scope. However, drive replacement should be scheduled to avoid archive data loss. This is a hardware maintenance item, not a security finding.

Resolved — 2 Items

Resolved
Chrome Remote Desktop Service — Verified and Assessed
A Chrome Remote Desktop service was identified on vv-webserver at audit start. Investigation confirmed it was installed by a known administrator for legitimate remote management purposes. The service was assessed, the session history reviewed, and the recommendation was closed. No security risk was identified.
Resolved
Traefik Log Retention Extended to 90 Days
At audit inception, Traefik log retention was insufficient for a 30-day lookback. Log retention was extended to 90 days during Phase 1 of the audit. The extended configuration is now in production and will support future investigations without requiring emergency action.

Phase 2: Supplemental Findings

§ 5
Phase 2 Supplemental IIS Log Analysis — Staging & Testing Sites

Phase 2 extended the initial IIS analysis to include the staging (W3SVC2, port 9007) and testing (W3SVC6, port 9008) sites. These sites are not publicly accessible via Traefik — they are LAN-only and protected by IP restriction rules.

The supplemental analysis revealed no evidence of unauthorised access to either the staging or testing environments. All authenticated sessions map to known developers and testers. No attacker IP appeared in W3SVC2 or W3SVC6 logs.

A separate recommendation was raised to scan the W3SVC6 (testing) IIS logs more thoroughly for application-level errors that could indicate dependency vulnerabilities — separate from external access concerns.

The staging and testing environments use the same application codebase and database schema as production. Any vulnerability identified in production would apply to these environments, but their LAN-only access restriction significantly reduces their external attack surface.

Phase 3: Network Gateway

§ 6
Phase 3 UniFi Dream Machine SE — Perimeter Network Analysis

Phase 3 focused on the network perimeter via the UniFi Dream Machine SE (UDM-SE) acting as the LAN gateway (192.168.0.1). Gateway-level traffic was analysed for evidence of:

  • Outbound command-and-control (C2) connections from any host in the 192.168.0.0/24 subnet
  • Lateral movement between VLAN segments — cross-subnet traffic from vv-webserver
  • DNS anomalies — queries to newly registered or suspicious domains from any host
  • Inbound port-scanning or connection attempts not blocked at the Proxmox / Traefik layer

The gateway analysis found no evidence of outbound C2 traffic, lateral movement, or DNS anomalies attributable to any host in the QND application stack. All outbound connections from vv-webserver and the proxmox host were to known legitimate endpoints (Microsoft update infrastructure, Let's Encrypt ACME, NTP servers).

Gateway perimeter clean. No C2 traffic, no lateral movement, and no anomalous DNS activity detected at the UniFi gateway level across the full 30-day audit window.

Phase 4: Traefik Log Correlation

§ 7
Phase 4 Perimeter Proxy Log Deep-Dive — IP Correlation & Attack Attribution

Phase 4 conducted a detailed cross-correlation between Traefik access logs and IIS W3SVC production logs to determine whether any attacker IP that appeared in Traefik logs also appeared in IIS logs — which would indicate a bypass of perimeter controls.

Result: No attacker IP appeared in IIS logs. The complete list of identifying attacker IPs from Traefik was compared against all IIS log IP fields for the same period. Zero matches were found. This confirms that Traefik's middleware (LAN-allow-list, geo-block, rate limiting) successfully prevented all scanning traffic from reaching the IIS application layer.

IP attribution via WHOIS / ASN lookups confirmed the following sources:

  • 20.151.11.236 — Microsoft Azure (US East) — likely automated scanning infrastructure or a compromised Azure tenant
  • 172.190.142.176 — Microsoft Azure (US East) — same cluster / campaign as above
  • 4.232.184.93 — Microsoft Azure (Canada Central)
  • 104.28.246.116 — Cloudflare exit node (proxy evasion technique to obscure true attacker origin)
  • 94.156.152.15 — Bulgarian ASN, commercial hosting, associated with scanning infrastructure in public threat intelligence databases
Note on Azure-hosted scanners: The presence of scanning traffic from Azure IP ranges does not implicate Microsoft. Azure IPs are commonly abused by threat actors using compromised or free-tier Azure subscriptions to run scanning campaigns. This is a widely documented industry pattern.

Phase 5: Third-Party Advisory (PTC Windchill)

§ 8
Phase 5 PTC Windchill Security Advisory — Upstream Dependency Review

Phase 5 was initiated in response to a published security advisory from PTC relating to Windchill, an upstream system with potential integration points to the QND application. The advisory referenced a remote code execution (RCE) vulnerability in a specific version of the Windchill web interface.

The assessment determined:

  • The QND application's integration with PTC Windchill is read-only and one-directional — QND consumes Windchill data but does not write back or expose any Windchill-controlled surface area
  • The specific CVE referenced in the advisory affects the Windchill web interface directly, which is not exposed through the QND application
  • The QND host infrastructure (vv-webserver, proxmox) does not run any Windchill components

Conclusion for Phase 5: The PTC Windchill advisory does not affect the QND application or its host infrastructure. No remediation action is required on the QND side. The customer should consult with the Windchill system owners to determine if their Windchill deployment requires patching independently.

Action for customer: Verify with your PTC Windchill team that the CVE referenced in the advisory has been addressed on the Windchill host. This is outside this audit's scope but represents a prudent parallel action.

Traffic Summary

§ 9
165,022
Total IIS Requests (30 days)
13,094
Attacker Requests (Traefik)
151
fail2ban Bans (30 days)
0 HTTP 200 responses served to any attacker IP
All 13,094 attacker requests received 301 redirect, 403 Forbidden, 404 Not Found, 502 Bad Gateway, or 499 Client Closed
IIS Production Traffic by HTTP Status
165,022 total requests · 30-day window
IIS Production Traffic by HTTP Status — 165,022 total requests over 30 days. 88.8% HTTP 200, 5.8% HTTP 404, 3.5% HTTP 304, 1.0% HTTP 302, 0.3% HTTP 500, 0.08% HTTP 403, 0.03% HTTP 401.
Attacker Request Volume by Source IP
13,094 total Traefik requests · 0 received HTTP 200
Attacker request volumes by source IP — all blocked at perimeter. 20.151.11.236 (Azure US-East): 9641 requests; 172.190.142.176 (Azure US-East): 2927 requests; 4.232.184.93 (Azure CA-Central): 358 requests; 104.28.246.116 (Cloudflare): 84 requests; 94.156.152.15 (Bulgaria): 84 requests.
fail2ban Bans — Daily Distribution
151 total bans over 30 days · peak: 13 bans on March 22, 2026
fail2ban daily ban counts — 151 total bans over 30 days (Feb 22 – Mar 22, 2026). Peak of 13 bans recorded on March 22, 2026. All SSH-related; no authenticated breaches.

IIS Production HTTP Status Breakdown

HTTP Status Requests Share Assessment
200 OK 146,596 88.8% Normal application traffic — all authenticated users
404 Not Found 9,577 5.8% Automated path scanning (/.env, /wp-admin, etc.) — no QND paths exposed
304 Not Modified 5,774 3.5% Normal browser cache validation — expected
302 Redirect 1,677 1.0% Normal application redirects (login, logout, HTTPS enforcement)
500 Internal Server Error 549 0.3% Application errors — no spike pattern, candidates for result-set limiting
403 Forbidden 140 0.08% Access control enforcing correctly — no privilege escalation attempts
401 Unauthorized 52 0.03% Failed login attempts — within expected range, no brute-force pattern

Recommendations

§ 10
11 recommendations were identified during this audit. 2 were closed during the audit window. 9 remain open as operational improvements.
01
Verify Chrome Remote Desktop Service on vv-webserver
Confirmed legitimate — service verified, assessed, and documented by the audit team.
Closed
02
Rotate QND admin account credentials
Precautionary rotation of the application admin account password as standard post-investigation hygiene.
Open
03
Implement result-set limits on inspectionReportDocument/GetFiltered
Add server-side maximum result-set enforcement to prevent 500 errors and data over-exposure under load.
Open
04
Address unvalidated open redirect in ABP login returnUrl parameter
Implement an allow-list for the returnUrl parameter to prevent phishing via open redirect exploitation.
Open
05
Traefik log retention extended to 90 days
Extended during Phase 1 of this audit. Now in production Traefik configuration.
Done
06
Archive MSSQL ERRORLOG history
Configure SQL Server Agent to archive ERRORLOG files before rotation; retain a minimum of 90 days of log history.
Open
07
Tune fail2ban traefik-critical jail thresholds
Review and tighten the ban threshold and ban-time for the Traefik jail to reduce the scanning window for persistent actors.
Open
08
Enable Windows Firewall logging on vv-webserver
Enable drop and accept logging with 30-day rolling retention to improve forensic capability for future investigations.
Open
09
Investigate /dev/sdt SMART pre-failure warning on proxmox
Schedule a drive health check and replacement plan for the USB archive volume showing a SMART pre-failure attribute.
Open
10
Scan W3SVC6 (testing) IIS logs for application-level anomalies
Perform a targeted review of the testing environment IIS logs for dependency-related application errors, separate from external access findings.
Open
11
Remove duplicate SSH key entry in authorized_keys
A duplicate public key entry was found in the proxmox authorized_keys file. Remove the duplicate to maintain a clean, auditable key inventory.
Open

Conclusion

§ 11

Final Verdict: No Evidence of Compromise

The QND application was not used as an ingress or egress vector in the reported cyber attack. The audit examined all accessible log sources across five phases: IIS production and staging logs, Traefik perimeter proxy logs, fail2ban records, UniFi gateway traffic, SQL Server authentication logs, Windows Event Log, and a third-party PTC Windchill advisory.

All attack probes detected during the 30-day window were correctly rejected at the Traefik perimeter. No attacker IP received a successful HTTP 200 response. All authenticated activity in the application logs is from named users performing normal business operations. The database, SSH, Windows authentication, and network gateway layers show no signs of unauthorised access or lateral movement.

The remaining 9 open recommendations are purely operational in nature — covering hardening hygiene: credential rotation, result-set limits, open-redirect validation, Windows Firewall logging, MSSQL log archival, and SMART monitoring. None represent evidence of past compromise; all are standard post-audit improvements applicable to any mature IT infrastructure.