ollama
25 min read
FreeProfiling the Largest Identifiable Exposed AI Infrastructure on the Internet
Over 1,500 IPs from Shodan's exposed Ollama index were analyzed through ClusterHawk. After filtering 60% honeypots, 13 of 27 clusters pointed to one operator, XRUI TECHNOLOGY LIMITED, running identical nginx/MySQL/Ollama stacks with unauthenticated qwen3-vl inference across 35+ hosts.
By Chawkr Reports
13/03/2026
Profiling the Largest Identifiable Exposed AI Infrastructure on the Internet
Roughly 175,000 exposed Ollama servers sit on the internet right now: AI inference endpoints on port 11434 with no authentication, full API access, wide open for LLMjacking, model theft, and resource abuse. SentinelLabs, Censys, and Sysdig have all documented the problem. Sysdig documented LLMjacking in 2024, with stolen GPU compute monetized at over $46,000 per day; Pillar Security later attributed a specific campaign as Operation Bizarre Bazaar. No single scanner catches them all. Shodan had 1,531 indexed when we pulled our sample. We fed that into ClusterHawk and started building detection profiles.
We expected scattered misconfigured servers. What came back was something else entirely. Twenty-seven clusters. Thirteen of them sharing the same hosting provider, same software stack, same domain, same TLS fingerprints. The profiles ClusterHawk built were compound (15+ parameters each), and they all pointed to one operator. One JA3S hash. One JARM fingerprint. One domain. One deployment template. That's not a collection of forgotten installations. That's a fleet. And a fleet is detectable.
The operator is XRUI TECHNOLOGY LIMITED, a Hong Kong-registered hosting provider on AS153494 that advertises "the
best Dedicated Server for SEO experts" with "Multiple Class C IPs." Their infrastructure hosts a Chinese sports gambling
site called Sports Forum Focus Network on the domain wo2u.com. Sitting next to it, on every host, is an
unauthenticated Ollama instance running Alibaba's qwen3-vl vision-language model. No API key. No access controls.
Just there.
Executive Summary
We sampled 1,531 IPs from Shodan's exposed Ollama index and ran them through ClusterHawk. 919 were honeypots, 60% of the dataset. The remaining 610 real assets clustered into 27 groups, and 13 of those groups belonged to the same operator.
XRUI TECHNOLOGY LIMITED (AS153494, Hong Kong) runs identical nginx/MySQL/Ollama/Express stacks across hundreds of
hosts, all tied to wo2u.com and a Chinese sports gambling site. The infrastructure exposes Ollama 0.13.0 on port
11434 across 35+ hosts running Alibaba's qwen3-vl without authentication, MySQL 8.0.36 with 71 CVEs on
network-accessible port 3306, and BT Panel management interfaces on port 888. The cluster profiles combine 15+
parameters: TLS fingerprints, HTTP response hashes, organization identifiers, port configurations, domain data,
producing detection signatures specific enough to work as high-confidence indicators with minimal false positive risk.
Our analysis is passive: infrastructure fingerprinting from Shodan metadata, not traffic analysis. We can map the attack surface and build detection signatures, but whether these endpoints are already being abused is outside the scope of what passive scanning tells us. The exposure pattern is consistent with documented LLMjacking targeting. Below are five deployable detection rules, a hunting procedure, and the IOCs needed to track this infrastructure going forward.
The Dataset: 1,531 IPs, Three Stories
We started with a Shodan query, "Ollama is running", and pulled everything indexed. ClusterHawk's honeypot detection
immediately split the dataset:
| Category | Count | % of Total | Description |
|---|---|---|---|
| Honeypots | 919 | 60.0% | Deception infrastructure, flagged with 100% confidence |
| Clustered | 610 | 39.8% | Analyzed through ensemble clustering (27 clusters) |
| NIL | 2 | 0.1% | Insufficient data for classification |
Six out of ten IPs were honeypots. When 60% of the observable attack surface is deception infrastructure, you're looking at something every scanner, researcher, and threat actor already knows about. Ollama's zero-auth default has made it a magnet for both exploitation and monitoring.
The 610 that survived filtering are the real infrastructure. Everything below is based on that set.
The Operator: XRUI TECHNOLOGY LIMITED
The clustering result was immediate. Thirteen of twenty-seven clusters share the same hosting provider, software stack, domain, and TLS configuration. We've seen infrastructure convergence before: popular templates produce similar-looking clusters. This wasn't that. This was one operator running a centralized deployment across hundreds of hosts.
The Company
XRUI TECHNOLOGY LIMITED operates AS153494 out of Hong Kong, registered at Hang Fung Industrial Building, Hunghom. They market themselves as a dedicated server provider for "SEO experts" offering "Multiple Class C IPs," designed for operators who need IP diversity across separate /24 subnets, typically for search engine manipulation or content distribution.
Their operational infrastructure sits in the 103.192.40-43.x range, spanning four /24 subnets. Consistent with their pitch: different Class C blocks to create the appearance of distributed, independent infrastructure.
The Domain: wo2u.com
Every well-formed XRUI cluster resolves to wo2u.com: 100% prevalence across all operational groups. The domain serves
a Chinese-language sports forum under the title 球坛焦点网 (Sports Forum Focus Network). HTTPS responses carry a
consistent favicon hash (-1095953614) across all clusters.
The content matters. Sports forum content in Chinese, hosted on SEO-optimized infrastructure with multiple Class C IPs, managed through BT Panel: this is a Chinese web hosting operation. The Ollama deployment sits alongside this web platform, not instead of it. Someone added AI capabilities to an existing hosting business and never locked the door.
That's the charitable reading. But 35 public-facing hosts running qwen3-vl with Ollama reachable from the internet isn't someone who forgot to close a port. It's a deployment decision repeated across an entire fleet. A hosting provider selling "SEO servers," running a Chinese sports gambling site (a legally grey activity commonly hosted offshore through Hong Kong), with unauthenticated AI inference endpoints open to the internet at scale. This could be negligence. It could also be intentional: inference-for-hire, proxy infrastructure for LLMjacking resale, or AI services offered through channels we can't observe from Shodan metadata. Our passive analysis can't tell the difference. What we can say is that the infrastructure looks indistinguishable from what purpose-built LLMjacking staging would look like.
The Software Stack
The uniformity is the finding. Across 13+ clusters, every operational host runs the same thing:
| Component | Version | Ports | Prevalence |
|---|---|---|---|
| nginx | Current | 80, 82, 443, 8083 | 89-100% per cluster |
| MySQL | 8.0.36 | 3306 | 86-100% per cluster |
| Ollama | 0.13.0 | 11434 | 100% in AI clusters |
| Express/Node.js | Standard | 3000 | 86-88% per cluster |
| BT Panel | Current | 888 | 96-100% in web clusters |
Same everything, across hundreds of hosts. A single deployment template pushed to every server, which also means a single point of failure. One vulnerability in the shared stack compromises every node.
TLS Fingerprints: The Digital Watermark
The TLS configuration is where attribution becomes detection. The consistency here only comes from automated certificate management:
| Type | Value |
|---|---|
| JA3S | 574866101f64002c6421cc329e4d5458 |
| JARM | 3fd3fd0003fd3fd21c42d42d000000bdfc58c9a46434368cf60aa440385763 |
| TLS Version | TLSv1.3 with AES-256-GCM-SHA384 |
| Certificate Issuer | Let's Encrypt R13 |
| Certificate Subject | wo2u.com |
| Issued | 2025-12-29 |
| Expires | 2026-03-29 |
The JA3S + JARM combination is a strong attribution anchor. Combined with the consistent certificate subject
(wo2u.com), issuer (Let's Encrypt R13), and cipher configuration, the resulting detection signature has high
specificity. The cluster profiles use 15+ fields, which means they describe the XRUI deployment template and very little
else. Any asset matching this TLS configuration alongside the HTTP and domain indicators is XRUI infrastructure with
high confidence.
The Let's Encrypt certificates follow a predictable 3-month rotation. Current certificates were issued December 29, 2025
and expire March 29, 2026 (19 days from the date of this analysis). Certificate Transparency logs for wo2u.com
will show renewal activity leading up to expiration, a predictable temporal anchor for monitoring.
Clustering Results: 27 Clusters, Five Operational Tiers
We ran the 610 filtered assets through ClusterHawk. Twenty-seven clusters fell out, organized into five operational tiers, most belonging to the same entity.
Quality Assessment
| Rating | Count | Percentage |
|---|---|---|
| Good | 7 | 25.9% |
| OK | 19 | 70.4% |
| Bad | 1 | 3.7% |
Seven Good-rated clusters with excellent internal stability and separation. One achieved the best separation score in the entire dataset. The single Bad-rated cluster is a catch-all for 160 assets that lacked enough distinguishing features for more specific grouping.
The Five Tiers
| Tier | Clusters | Assets | Role | Detection Priority |
|---|---|---|---|---|
| XRUI Web+AI Platform | 13 | ~183 | Full-stack web hosting with AI inference | HIGH |
| Minimal Feature | 6 | 258 | Fewer distinguishing features — minimal-service or pre-template hosts | MEDIUM |
| Database-Only | 4 | ~16 | MySQL instances on Amazon infrastructure | MEDIUM |
| TLS-Only | 1 | 3 | Encrypted endpoints — possible VPN/C2 | LOW |
| Outliers | 1 | 142 | Transitional infrastructure, mixed configs | HIGH |
The XRUI Web+AI Platform tier is the core: 13 clusters sharing the same stack, TLS fingerprints, and domain. What differentiates them internally is service combination: some run BT Panel, others don't; some have Ollama, others are web-only; port profiles vary. ClusterHawk separated what looked like uniform infrastructure into distinct deployment configurations, each with its own operational role and detection signature.
Infrastructure Progression
The clustering reveals what looks like a deployment lifecycle:
Minimal Feature
→ Database Provisioning
→ Full Operational Platform
→ Transitional/Reconfiguring
Hosts in the minimal-feature clusters may be early in the provisioning pipeline, running Ollama (how they entered the dataset) but not yet carrying the full web stack. Database clusters on Amazon infrastructure represent backend provisioning. Fully operational clusters have the complete template deployed. The outlier cluster (142 assets) contains infrastructure in transition: mixed XRUI and non-XRUI hosting, mixed TLS versions. In threat hunting, assets in motion are the ones worth watching.
The Exposed AI Surface: Ollama Without a Lock
Ollama binds to 127.0.0.1:11434 by default: localhost only. Getting it on the internet requires setting
OLLAMA_HOST=0.0.0.0 and making the port reachable, whether through a public IP, port forward, reverse proxy, or just
no firewall rule. In XRUI's case, these hosts sit on public infrastructure with port 11434 answering directly. No
authentication, no API key, no TLS. The full API (model enumeration, inference, model download, and filesystem access on
older versions) is available to anyone who can reach the port. Across our dataset, 35+ hosts in the XRUI AI clusters
run Ollama 0.13.0 with qwen3-vl loaded and accessible.
What's Exposed
The Ollama API on these hosts allows unauthenticated:
- Model enumeration (
/api/tags) reveals qwen3-vl and smollm2:135m are loaded - Arbitrary inference (
/api/generate) lets anyone submit prompts and get responses - Model metadata (
/api/show) exposes system prompts, model configuration, parameters - Model exfiltration (
/api/push): CVE-2024-39720 enables model weight theft
The qwen3-vl deployment stands out. Alibaba's multimodal vision-language model processes both text and images. Running it across 35+ hosts suggests either a production AI service or development at meaningful scale. Either way, every instance is a free inference endpoint for anyone who finds it.
Vulnerability Assessment
| CVE | Impact | EPSS | Status on 0.13.0 |
|---|---|---|---|
| CVE-2025-15514 | DoS via malformed base64 images | 0.43 | Vulnerable |
| CVE-2024-39719 | Model enumeration via /api/tags | — | Vulnerable |
| CVE-2024-39720 | Model exfiltration via /api/push | — | Vulnerable |
| CVE-2024-39721 | DoS via /api/create | — | Vulnerable |
| CVE-2024-39722 | Path traversal info leak via /api/push | — | Vulnerable |
| CVE-2024-37032 (Probllama) | Path traversal → RCE | Critical | Patched (affects pre-0.1.34) |
Credit where it's due: they're running 0.13.0, well past the patch for CVE-2024-37032, the critical path traversal RCE that hit versions before 0.1.34. Probllama isn't a factor. But CVE-2025-15514 (DoS via malformed base64 images, EPSS 0.43) hits every Ollama instance in the dataset.
The real vulnerability isn't any single CVE. It's the architecture. Ollama ships with zero authentication by default. The operator deployed it without adding any. Every AI endpoint in this infrastructure is simultaneously a free inference engine, a model theft target, and a resource abuse vector. No patch fixes that.
The LLMjacking Threat
Sysdig documented this pattern as LLMjacking: attackers find exposed Ollama endpoints, proxy them through OpenAI-compatible reverse proxies, and resell access on Discord and Telegram. Stolen GPU compute has been monetized at over $46,000 per day per compromised fleet. Pillar Security later attributed a specific campaign as Operation Bizarre Bazaar, and SentinelLabs independently documented this infrastructure surface in its Silent Brothers research.
The XRUI infrastructure is a textbook target: unauthenticated Ollama API, production-scale model deployments, co-located web infrastructure for proxy hosting. These endpoints don't need to be "compromised" in any traditional sense: there's nothing to compromise. Anyone who finds them can query the models, enumerate the configuration, and exfiltrate weights. Shodan already indexed them. The API returns HTTP 200. The question isn't whether abuse is possible. It's how much is already happening, and passive analysis can't answer that.
The Co-Located Vulnerability Chain
The Ollama exposure doesn't exist in isolation. Every AI endpoint sits alongside a full web application stack, and the co-location creates a multi-stage attack chain worse than any single vulnerability.
The Stack on Every Host
Taking the primary AI inference cluster (35 hosts) as representative:
| Port | Service | Hosts | Attack Surface |
|---|---|---|---|
| 11434 | Ollama API | 35/35 (100%) | Unauthenticated AI inference |
| 8083 | nginx (web) | 35/35 (100%) | Web application vulnerabilities |
| 3306 | MySQL 8.0.36 | 30/35 (86%) | 71 CVEs, network-accessible |
| 3000 | Express/Node.js | 30/35 (86%) | API gateway, potential RCE |
| 80/443 | nginx (HTTP/S) | 31/35 (89%) | Web content, certificate data |
| 82 | nginx (alt HTTP) | 31/35 (89%) | Alternative web endpoint |
| 888 | BT Panel | Varies | Full server management interface |
MySQL: 71 CVEs on Port 3306
MySQL 8.0.36 on port 3306 across the XRUI clusters carries 71 CVEs with an average EPSS of 0.32. The top vulnerabilities (CVE-2026-21964, CVE-2024-21087, CVE-2024-21069) appear on MySQL hosts in the largest web cluster (25 hosts, 71 CVEs, 69 high-risk). CVE-2024-21130 (EPSS 0.39) spans nine clusters: "easily exploitable vulnerability allows high privileged attacker with network access to cause complete DoS of MySQL Server."
None are listed as Known Exploited Vulnerabilities (KEV), suggesting limited real-world exploitation so far. But the MySQL instances are network-accessible on 59+ hosts in the outlier cluster alone, unpatched. Network exposure plus vulnerability density creates a database exfiltration surface that compounds the Ollama risk.
BT Panel: The Management Interface
BT Panel (宝塔面板) is a Chinese server management platform: a web-based control panel for Linux servers. It runs on port 888 across 96-100% of hosts in the web-serving clusters, returning HTTP 403 (access denied but confirming presence). Full administrative access: file management, database access, process control, terminal.
For an attacker who gets in through Ollama or MySQL, BT Panel is the escalation path. For a defender, port 888 with
title hash -1030444411 is a reliable indicator of Chinese-managed server infrastructure.
The Attack Chain
1. Discovery → Shodan/Censys identifies Ollama on port 11434
2. Enumeration → /api/tags reveals qwen3-vl and smollm2 models
3. Inference → /api/generate confirms unauthenticated access
4. Model Theft → /api/push + CVE-2024-39720 exfiltrates model weights
5. Lateral Move → Express.js (3000) and MySQL (3306) on same host
6. Escalation → BT Panel (888) or nginx misconfiguration
7. Persistence → Deploy reverse proxy, cryptominer, or C2 agent
Every step is validated by the clustering data. The services are co-located. The ports are open. The authentication is absent. Whether anyone has walked this chain is unknown. But the path is clear.
Anomaly Intelligence: 31 Critical IPs
ClusterHawk's anomaly detection flagged 31 IPs (5.1% of the clustered dataset) as CRITICAL. No intermediate levels. The scoring measures neighbor consistency across clustering runs: how often an IP gets grouped with the same peers, how stable its neighborhood is, how many distinct clusters it touches. IPs that land in different clusters with different neighbors across runs are the ones behaving differently each time the algorithms evaluate the data.
Top 10 Most Anomalous
| IP | Score | Distinct Clusters | Noise Freq | Key Pattern |
|---|---|---|---|---|
| 46.4.104.83 | 18.46 | 5 | 0.21 | Hetzner — very small clusters, high instability |
| 16.52.157.76 | 17.96 | 7 | 0.00 | Cloud — low neighbor consistency, large cluster variance |
| 51.16.40.30 | 17.25 | 10 | 0.00 | AWS — 10 distinct clusters, never classified as noise |
| 131.100.25.162 | 16.74 | 5 | 0.17 | Completely different neighbors across runs, high ratio |
| 3.17.173.171 | 16.74 | 10 | 0.00 | AWS — identical features to 51.16.40.30 |
| 180.102.134.42 | 16.74 | 8 | 0.21 | Chinese ISP — very small clusters, high noise frequency |
| 18.169.162.191 | 16.74 | 10 | 0.00 | AWS EU — identical pattern to 3.17.173.171 |
| 177.71.167.32 | 15.44 | 9 | 0.04 | Brazilian — moderate instability across 9 clusters |
| 98.93.255.189 | 15.26 | 7 | 0.00 | US — low neighbor consistency, never noise |
| 3.12.148.157 | 15.26 | 7 | 0.00 | AWS — identical instability pattern to 98.93.255.189 |
The Distribution: Not Where You'd Expect
The anomaly list is dominated by non-XRUI infrastructure: cloud providers, European hosting, Chinese ISPs, South American networks. Only 3 of 31 belong to the XRUI 103.192.x.x range (103.192.40.180, 103.192.40.131, 103.192.43.146). The remaining 28 are scattered across AWS, Hetzner, Alibaba Cloud, Oracle, and various regional providers.
Makes sense. The XRUI infrastructure is uniform (same stack, same template, same fingerprints), so it clusters stably.
The anomalous IPs are the ones that don't fit any stable pattern. They entered the dataset through the
"Ollama is running" query but share little else with each other or with the XRUI fleet.
Identical Twins: Coherent Sub-Groups in the Noise
Several anomalous IPs share identical detailed features: same neighbor consistency, same stability scores, same unique neighbor ratios, meaning the clustering treats them identically across all runs. These aren't random outliers. They're coherent sub-groups the primary clustering can't stably assign:
AWS cluster (4 IPs: 16.52.157.76, 3.12.148.157, 98.93.255.189, 15.160.190.49): 7 distinct clusters, zero noise frequency, identical neighbor consistency (0.683). Cloud instances with enough shared characteristics to always land together but not enough to form their own stable cluster.
Small-cluster group (6 IPs: 46.4.104.83, 16.171.116.149, 1.13.19.44, 86.20.251.127, 188.245.187.245, 65.108.236.217): 5 distinct clusters, high neighbor consistency (0.835) but very small cluster sizes (mean 24.4). They stick together but get placed in tiny, unstable clusters that shift between runs.
High-ratio group (4 IPs: 131.100.25.162, 192.227.177.10, 47.101.61.248, 121.43.140.23): the most unstable sub-group. Completely different neighbors in some runs, unique neighbor ratio of 4.28 (grouped with 4x more unique IPs than their cluster size across runs), lowest neighbor stability (0.380) of any group. These genuinely don't belong anywhere.
The XRUI Anomalies
The three XRUI IPs, 103.192.40.180 (score 12.06), 103.192.40.131 (score 11.89), and 103.192.43.146 (score 11.89), sit at the lower end of the anomaly spectrum. 103.192.40.180 has low neighbor consistency (0.508) and high unique neighbor ratio (2.29), suggesting it shares some but not all features with the standard template. The other two have high neighbor consistency (0.908) but land in 9 distinct clusters with noise frequency of 0.125, mostly stable but occasionally breaking from the pack. Likely XRUI hosts with partial or non-standard deployments.
Noise Re-Analysis: What the Outliers Reveal
We weren't done with the outliers. The 142 IPs in the outlier cluster were too inconsistent for clean classification, but "too inconsistent" is itself a signal. We re-clustered them separately, producing 8 noise clusters and 30 similarity groups. The results reinforced the XRUI story from a completely different angle.
Noise Cluster Distribution
| Profile | Count | % | Description |
|---|---|---|---|
| Diverse / unattributed | 109 | 76.8% | Catch-all — diverse global infrastructure, minimal shared features |
| XRUI web platform | 10 | 7.0% | nginx, MySQL, Express, BT Panel on 103.192.x.x |
| XRUI web variant | 6 | 4.2% | Port 888 (BT Panel) as distinguishing feature |
| XRUI AI+DB | 5 | 3.5% | Ollama smollm2:135m + MySQL 8.0.36 |
| XRUI database tier | 5 | 3.5% | MySQL 8.0.36 with full CVE set (71 vulns) |
| XRUI database-only | 2 | 1.4% | MySQL differentiated by vulnerability profile |
| XRUI AI+DB variant | 2 | 1.4% | Ollama + MySQL with distinct port profile |
| True outliers | 3 | 2.1% | XRUI infrastructure with qwen3-vl model loaded |
Even among the outliers, 33 of 142 IPs (23%) re-clustered into identifiable XRUI sub-patterns. The remaining 109 are the genuinely diverse infrastructure: the scattered Ollama endpoints we originally expected the entire dataset to be. Hobbyist labs, cloud test instances, miscellaneous deployments that the XRUI dominance overshadowed.
Similarity Groups: Infrastructure Cohesion Under the Noise
The similarity analysis found 30 groups of IPs sharing infrastructural features above a 0.6 threshold. Three stood out:
Similarity Group 5 (34 IPs, score 0.849) is the largest and most cohesive. All 34 in the 103.192.x.x range, sharing HTTP response hashes across ports 8083, 3000, 82, 80, and 443, the full XRUI port profile. Despite being classified as outliers by primary clustering, they share enough infrastructural DNA that similarity analysis groups them back together. XRUI infrastructure sitting between operational tiers: not different enough for clean classification, too similar to be genuinely diverse.
Similarity Group 2 (19 IPs, score 0.746) mixes XRUI addresses with non-XRUI infrastructure including IPs associated with Bergische Universitaet Wuppertal. Cross-organizational similarity like this is unusual, possibly the same web framework or template producing similar response hashes across unrelated operators.
Similarity Group 9 (16 IPs, score 0.675) is XRUI infrastructure sharing Ollama port (11434) hashes alongside the standard web stack. The AI-enabled outlier hosts that primary clustering couldn't assign to a single XRUI AI cluster.
The True Anomalies
Three IPs were classified as true outliers, outliers within the outliers: 103.192.40.147, 103.192.41.26 (both anomaly score 1.635), and 117.72.118.118 (score 0.0001). The first two are XRUI addresses running the full stack including qwen3-vl, but with configuration differences significant enough to resist classification at every level. Most likely undergoing active reconfiguration or serving a unique operational role.
The third, 117.72.118.118, is the interesting one. It shares XRUI features across multiple similarity groups but operates from a different ASN. A potential indicator that the operator's footprint extends beyond the core 103.192.x.x range.
The Dual-Provider Strategy
The operator doesn't keep everything on XRUI infrastructure. Four clusters, grouped by MySQL characteristics rather than Ollama or web features, sit on Amazon Data Services across multiple regions.
| Assets | Provider | Regions |
|---|---|---|
| 5 | Amazon Data Services | France, Japan, Hong Kong, Ireland, US |
| 4 | Amazon Data Services | India, US, Ireland, UAE |
| 3 | Mixed (Amazon India, A100 Row Inc, Amazon Technologies) | |
| 4 | Amazon Data Services India | India (50%) |
Every IP was discovered via the "Ollama is running" query: these Amazon assets had Ollama at the time of indexing. But
clustering used MySQL on port 3306 as the dominant identifying characteristic, with none of the web stack present on
XRUI clusters. The separation looks deliberate: web-facing infrastructure on XRUI's Hong Kong ASN, database backends on
Amazon's global network. The operator understands that co-locating everything on one provider creates a single point of
disruption.
It also creates a detection challenge. The XRUI clusters have highly specific profiles: compound fingerprints built from
15+ parameters. The Amazon database clusters are the opposite: their profiles reduce to something like port:3306,
matching millions of MySQL instances globally (the largest cluster maps to ~3.15 million Shodan results). The databases
hide in the noise while the web infrastructure stands out. Correlating the two is how you map the full network.
The Minimal-Feature Pool: 258 Assets Without Distinguishing Characteristics
Six clusters contain a combined 258 assets that the algorithm grouped together based on what they don't have: the rich feature sets found in operational XRUI clusters. They all came in through the Ollama query but lacked the specific combination of nginx, MySQL, Express, BT Panel, TLS certificates, and domain indicators that define the operational tiers.
The largest holds 160 assets, the single largest cluster and the only one rated Bad. ClusterHawk generates no Shodan queries for these clusters because there are no compound feature combinations to describe. The clustering signal comes from feature absence, not feature presence.
These likely represent:
- Minimal-service Ollama deployments: hosts running Ollama without the full web stack
- SEO IP pool: addresses provisioned for backlink diversity, consistent with XRUI's "Multiple Class C IPs" offering, with Ollama as a secondary service
- Recently provisioned infrastructure that isn't yet fully configured
- Hosts behind stricter firewalls, where Shodan captured the Ollama banner but couldn't enumerate additional services
The SEO interpretation aligns with XRUI's business model. Providers selling "Multiple Class C IPs for SEO" provision large address blocks for clients who need IP diversity for search engine manipulation. Some may run only basic services: their value is existing across different /24 subnets, not what they host.
Hypothesis Validation
We formulated hypotheses before running the analysis. Here's what the data said:
| Hypothesis | Pre-Analysis Confidence | Post-Analysis | Verdict |
|---|---|---|---|
| Managed Platform Leak — identical deployments from a SaaS/PaaS template | High | 85% | CONFIRMED — 13+ clusters share identical XRUI stack |
| Honeypots / Research — deception infrastructure contaminating the dataset | High | 100% | CONFIRMED — 919 assets (60%) flagged as honeypots |
| Hobbyist / Home Lab — residential ISPs, single small models | Medium | <5% | REFUTED — no residential ISPs, no hobbyist patterns |
| Developer / Startup Staging — cloud providers, Jupyter, monitoring tools | Medium | <10% | REFUTED — no Jupyter, no Grafana, no dev tooling |
| Compromised / Weaponized — bulletproof hosting, proxy farms, modified banners | Low | 30% | INCONCLUSIVE — no malicious indicators, but exposure is real |
Managed Platform Leak was the clear winner, and the surprise. We expected it as one pattern among many. Instead it dominates. One hosting provider's deployment template, pushed uniformly across hundreds of assets, creating a fingerprint so consistent it became its own detection signature.
Detection Engineering
One operator, one stack, one domain. The detection surface is narrow and well-defined.
Rule 1: XRUI TLS Fingerprint (HIGH Confidence)
title: XRUI Infrastructure TLS Fingerprint Detection
description: Detect TLS connections matching XRUI operational infrastructure
detection:
selection:
tls.ja3s: "574866101f64002c6421cc329e4d5458"
tls.jarm: "3fd3fd0003fd3fd21c42d42d000000bdfc58c9a46434368cf60aa440385763"
condition: all of selection
fields:
- destination.ip
- tls.certificate.subject
note: >
High specificity — this TLS combination is characteristic of the XRUI deployment template. Covers all operational XRUI
clusters. Detection confidence: 85%. Any hit is highly likely XRUI infrastructure.
Rule 2: XRUI HTTP Fingerprint (HIGH Confidence)
title: XRUI Web Platform HTTP Detection
description: Detect HTTP responses matching XRUI web infrastructure
detection:
selection:
http.headers_hash: 1245094173
http.favicon.hash: -1095953614
http.robots_hash: 1330548294
destination.port: [80, 443, 82]
condition: selection
note: >
High specificity — compound HTTP fingerprint characteristic of XRUI web platform. Complements Rule 1 for environments
without TLS inspection.
Rule 3: Exposed Ollama API (HIGH Confidence)
title: Ollama AI API Exposure Detection
description: Detect connections to exposed Ollama inference endpoints
detection:
selection:
destination.port: 11434
http.status: 200
filter_local:
destination.ip: ["127.0.0.1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
condition: selection and not filter_local
note: >
Broader than XRUI-specific — covers any exposed Ollama endpoint. Combine with Rule 1 for XRUI attribution.
Rule 4: BT Panel Management Interface (MEDIUM Confidence)
title: BT Panel Management Interface Detection
description: Detect BT Panel management interfaces
detection:
selection:
destination.port: 888
http.status: 403
http.title_hash: -1030444411
condition: selection
note: >
Covers XRUI web-serving clusters. Indicates Chinese-managed server infrastructure.
Rule 5: wo2u.com Domain Tracking (HIGH Confidence)
title: wo2u.com Domain Activity Detection
description: Monitor DNS and certificate usage for wo2u.com
detection:
selection_dns:
dns.question.name: ["wo2u.com", "www.wo2u.com"]
selection_cert:
tls.certificate.subject.cn: "wo2u.com"
tls.certificate.issuer.cn: "R13"
condition: selection_dns or selection_cert
note: >
Primary domain across all operational clusters. Watch Certificate Transparency logs for renewal ~March 20-29.
Hunting Procedure
XRUI Infrastructure Hunt:
1. BASELINE
TLS: JA3S 574866101f64002c6421cc329e4d5458
JARM 3fd3fd0003fd3fd21c42d42d000000bdfc58c9a46434368cf60aa440385763
HTTP: headers_hash 1245094173, favicon_hash -1095953614, robots_hash 1330548294
Domain: wo2u.com | Certificate issuer: R13 (Let's Encrypt)
Ports: 80, 82, 443, 888, 3000, 3306, 8083, 11434
2. DETECTION DEPLOYMENT
Deploy Rules 1-5 above
Alert on any combination of 3+ matching fingerprints
Monitor Ollama API (11434) connections from external networks
3. EXPANSION TRACKING
Search for new assets in 103.192.40-43.x range
Monitor Let's Encrypt CT logs for wo2u.com renewals
Track AS153494 for new IP allocations
4. CROSS-CLUSTER CORRELATION
MySQL hash 880948174 links AI, web, and outlier clusters
Ollama model configs link all AI inference clusters
BT Panel (port 888) links all web-serving clusters
MITRE ATT&CK Mapping
| Technique | ID | Evidence | Confidence |
|---|---|---|---|
| Acquire Infrastructure: VPS | T1583.003 | XRUI TECHNOLOGY LIMITED (AS153494) used across 13+ clusters; markets "Dedicated Server for SEO experts" | HIGH |
| Exploit Public-Facing Application | T1190 | MySQL 8.0.36 with 71 CVEs (avg EPSS 0.32); Ollama CVE-2025-15514 (EPSS 0.43) | HIGH |
| External Remote Services | T1133 | Port 3306 exposed on 59+ outlier hosts; port 11434 on 35+ hosts | HIGH |
| Application Layer Protocol: Web | T1071.001 | nginx reverse proxy on ports 80/443/82/888/8083; Express/Node.js on 3000 | MEDIUM |
| Obtain Capabilities: Tool | T1588.002 | Ollama 0.13.0 deployed uniformly with qwen3-vl model | MEDIUM |
| Web Service | T1102 | wo2u.com as consistent operational domain; Let's Encrypt automation | MEDIUM |
Defensive Recommendations
For All Roles
CRITICAL:
- Deploy TLS fingerprint detection (JA3S + JARM) for real-time monitoring: covers 80%+ of operational XRUI assets with high confidence
- Block or alert on connections to port 11434 (Ollama API) from untrusted networks
HIGH:
- Monitor
wo2u.comdomain resolution and certificate issuance via CT logs - Track favicon hash
-1095953614in HTTP responses across all web clusters
For Threat Hunters
- Start with the TLS fingerprint (Rule 1), a high-confidence XRUI indicator
- Hunt for Ollama API endpoints serving qwen3-vl and smollm2:135m models
- Investigate the 31 CRITICAL anomalous IPs, outliers that don't fit stable patterns
- Cross-reference MySQL hash
880948174across network telemetry - Watch for new infrastructure in the 103.192.40-43.x range
For SOC Analysts
- Deploy Rules 1-5 for automated alerting
- Monitor HTTP 403 responses on port 888 with title hash
-1030444411, a BT Panel indicator - Alert on TLSv1.3 connections with certificate subject
wo2u.comand issuerR13
For Intelligence Analysts
- Track AS153494 infrastructure expansion and new prefix announcements
- Correlate qwen3-vl model deployment patterns with emerging LLMjacking campaigns
- Monitor
wo2u.comregistration changes and new subdomain creation - Certificate rotation expected ~March 20-29: watch for infrastructure refresh patterns
How ClusterHawk Surfaced This
The input was a list of 1,531 IPs. Everything after that was automatic.
ClusterHawk took the raw IP list and, without human tuning, feature selection, or threshold adjustment, produced the entire analytical foundation behind this article: honeypot filtering, ensemble clustering, quality assessment, anomaly detection, noise re-analysis, similarity grouping, compound detection signature generation. The 27 clusters, the five operational tiers, the 31 anomalous IPs, the coherent sub-groups in the noise, the dual-provider infrastructure separation: all of it came out of the pipeline.
A Shodan query for org:"XRUI TECHNOLOGY LIMITED" returns the hosts. What it doesn't tell you is that those hosts
operate in 27 distinct deployment configurations, that 142 outliers still contain 23% identifiable XRUI sub-patterns,
that 4 database clusters on Amazon infrastructure are operationally linked to the web fleet, or that 31 non-XRUI IPs
show coherent clustering instability suggesting separate operators. ClusterHawk separated what looked like uniform
infrastructure into distinct operational tiers, each with its own detection signature, automatically.
What the pipeline delivered:
- Honeypot filtering: 919 deception assets identified and excluded with 100% confidence, before clustering
- 27 cluster profiles, each with compound infrastructural fingerprints (up to 15+ parameters) for matching new infrastructure
- Quality assessment: per-cluster stability and separation scoring, flagging the single Bad-rated catch-all
- Noise re-clustering: 142 outlier IPs re-analyzed into 8 sub-clusters and 30 similarity groups
- Anomaly scoring: 31 critical IPs flagged for neighbor instability across clustering runs
- Detection signatures: compound Shodan queries generated per cluster, ready for deployment
The analysis ran at two independent tiers, INTERMEDIATE and ADVANCED, and both converged on the same findings: same XRUI dominance, same 31 anomaly count, same infrastructure patterns. Different configurations, same conclusions. That convergence is the validation.
ClusterHawk is Chawkr's infrastructure clustering platform. Learn more at clusterhawk.chawkr.com.
IOCs
Fingerprints
| Type | Value |
|---|---|
| JA3S | 574866101f64002c6421cc329e4d5458 |
| JARM | 3fd3fd0003fd3fd21c42d42d000000bdfc58c9a46434368cf60aa440385763 |
| Favicon Hash | -1095953614 |
| Headers Hash | 1245094173 |
| Robots Hash | 1330548294 |
| MySQL Hash | 880948174 |
| BT Panel Title Hash | -1030444411 |
| Domain | wo2u.com / www.wo2u.com |
| ASN | AS153494 (XRUI TECHNOLOGY LIMITED) |
Top Anomalous IPs (Highest Priority)
These IPs exhibited extreme clustering instability, assets that don't fit any stable infrastructure pattern:
46.4.104.83
16.52.157.76
51.16.40.30
131.100.25.162
3.17.173.171
180.102.134.42
18.169.162.191
177.71.167.32
98.93.255.189
3.12.148.157
Note: The anomaly list is dominated by non-XRUI infrastructure: AWS, Hetzner, Alibaba Cloud, regional providers. These are Ollama-hosting IPs that don't fit the dominant patterns. Several form coherent sub-groups with identical clustering behavior, suggesting shared deployment templates from other operators. The XRUI infrastructure itself is highly stable: TLS and HTTP fingerprints remain the durable detection anchors.
Conclusion
175,000 exposed Ollama endpoints make a large attack surface. What makes this subset actionable is that it's identifiable. One Hong Kong hosting provider, a uniform software stack, a Chinese sports forum, and an unauthenticated AI inference layer across all of it, profiled into compound detection signatures built from 15+ parameters. The 60% honeypot rate tells us this surface is already under active observation. The detection signatures here give defenders a way to do something about it.
XRUI TECHNOLOGY LIMITED isn't an APT. It's not a botnet. It's a commercial web hosting operation that bolted AI inference onto its existing platform without securing it, creating the largest identifiable cluster of exposed Ollama infrastructure we've found under a single operator. The attack chain (unauthenticated Ollama API to MySQL exploitation to BT Panel escalation) is documented above. Five detection rules, TLS fingerprints, HTTP hashes, and domain indicators are ready for deployment.
Even the outliers held up. When we re-clustered the 142 IPs that primary analysis couldn't cleanly classify, 23% grouped
back into XRUI sub-patterns. Similarity Group 5 (34 IPs, score 0.849) showed the same port profile, same HTTP hashes,
same wo2u.com domain. Infrastructure too noisy for primary clustering was still too XRUI to be anything else. The
profiles are durable.
One JA3S. One JARM. One domain. One operator. The certificates expire March 29. Deploy the rules now, and track the renewal.
Sources
-
Sysdig: LLMjacking: Stolen Cloud Credentials Used in New AI Attack (2024) https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
-
Pillar Security: Operation Bizarre Bazaar: First Attributed LLMjacking Campaign with Commercial Marketplace Monetization (2024) https://www.pillar.security/blog/operation-bizarre-bazaar-first-attributed-llmjacking-campaign-with-commercial-marketplace-monetization
-
SentinelLabs & Censys: Silent Brothers: Ollama Hosts Form Anonymous AI Network Beyond Platform Guardrails (January 2026) https://www.sentinelone.com/labs/silent-brothers-ollama-hosts-form-anonymous-ai-network-beyond-platform-guardrails/
-
Censys: Ollama Drama: Investigating the Prevalence of Ollama Open Instances (September 2025) https://censys.com/blog/ollama-drama-investigating-the-prevalence-of-ollama-open-instances-with-censys/
-
NVD: CVE-2025-15514: Ollama Null Pointer Dereference (2025) https://nvd.nist.gov/vuln/detail/CVE-2025-15514
-
NVD: CVE-2024-37032: Ollama Path Traversal (Probllama) (2024) https://nvd.nist.gov/vuln/detail/CVE-2024-37032
-
Ollama GitHub: Security Advisory: Model Registry Path Traversal (2024) https://github.com/ollama/ollama/security
-
MITRE ATT&CK: Resource Development: Acquire Infrastructure https://attack.mitre.org/techniques/T1583/
