# Al Mayadeen Network — Full Intelligence Report > Al Mayadeen is a pan-Arab pro-axis news network based in Beirut, Lebanon > Probed Feb 28, 2026 during Israeli strikes on Tehran ## Executive Summary Al Mayadeen's infrastructure is **fully operational** behind Cloudflare CDN. Five exposed subdomains reveal their entire internal CMS platform (MangoX), an **Azure OpenAI GPT-4 AI content editor**, internal API testing interfaces, and production Docker container details. --- ## Exposed Subdomains | Subdomain | Status | Technology | Purpose | |-----------|--------|------------|---------| | almayadeen.net | LIVE | Cloudflare CDN | Main website | | **ai.almayadeen.net** | **LIVE** | Azure OpenAI + Tailwind | **AI content editor (GPT-4)** | | **portal-api.almayadeen.net** | **LIVE** | MangoX CMS API (Docker) | **CMS API testing interface** | | **portal-beta-api.almayadeen.net** | **LIVE** | MangoX CMS API (Docker) | **CMS API beta testing** | | **interactions.almayadeen.net** | **LIVE** | Vue/React SPA | **Interactions platform (3.9 MB app)** | | **media.almayadeen.net** | **LIVE** | ASP.NET | **Media asset service** | --- ## CRITICAL: Azure OpenAI Integration (ai.almayadeen.net) ### Exposed Configuration ```javascript const apiUrl = "https://mdn-open-ai.openai.azure.com"; const deploymentName = "mdn-gpt-4"; const apiVersion = "2024-05-01-preview"; const apiKey = ""; // Empty in client-side source ``` ### What This Reveals - Al Mayadeen has a **Microsoft Azure OpenAI subscription** (resource: `mdn-open-ai`) - They deploy **GPT-4** (deployment: `mdn-gpt-4`) for AI-assisted content generation - The tool is called **"محرر الميادين الذكي"** (Mayadeen Smart Editor) - API version: `2024-05-01-preview` - **CORS is wide open**: `Access-Control-Allow-Origin: *` ### AI Editor Capabilities (from source) The system prompt instructs GPT-4 to: 1. Write news articles in Arabic following Al Mayadeen's editorial style 2. Specialize in Middle East news coverage 3. Optimize content for SEO 4. Generate breaking news reports, political analyses, opinion pieces, economic reports 5. Use formal Arabic (فصحى) language ### Template Categories - Breaking news reports (تغطية إخبارية عاجلة) - Deep political analysis (تحليل سياسي معمق) - Economic reports (تقرير اقتصادي) - Opinion pieces (مقال رأي) --- ## CRITICAL: MangoX Portal API (portal-api.almayadeen.net) ### Health Endpoint (Unauthenticated) ```json { "status": "Healthy", "timestamp": "2026-02-28T08:18:14.8148942Z", "version": "1.0.0.0", "environment": "Production", "machineName": "94a743b785f9", "message": "MangoX Admin API is running successfully!" } ``` ### Beta API Health ```json { "machineName": "57660472686f" } ``` **Two separate Docker containers running MangoX in production.** ### API Endpoints Discovered (from script.js) | Method | Endpoint | Auth Required | Purpose | |--------|----------|---------------|---------| | POST | `/api/auth/login` | No | Login (UserName + Password → accessToken) | | POST | `/api/auth/refresh-token` | Bearer | Refresh JWT token | | GET | `/api/posts/list?page=X&size=X` | Bearer | List all posts | | POST | `/api/posts/create` | Bearer | Create new posts | | GET | `/api/users/list` | Bearer | List all users | | POST | `/api/users/create` | Bearer | Create new users | | GET | `/api/menus/list` | Bearer | List navigation menus | | GET | `/api/widgets/list` | Bearer | List widgets | | GET | `/health` | **None** | Health check (leaks machine name) | | POST | `/media/Upload?subscriptionCode=mangopulse` | Bearer | File upload | ### API Configuration ```javascript const API_CONFIG = { SUBSCRIPTION_CODE: 'mangopulse', POST_TYPE_CODE: 'article', ACCESS_TOKEN: '', BASE_URL: '/api' }; ``` ### Authentication Flow 1. Client sends `POST /api/auth/login` with `{UserName, Password}` 2. Server returns `{success: true, data: {accessToken: "JWT..."}}` 3. Token stored client-side, sent as `Authorization: Bearer ` 4. Token can be refreshed via `POST /api/auth/refresh-token` ### File Upload System (upload.js) ``` POST /media/Upload?subscriptionCode=mangopulse Authorization: Bearer Content-Type: multipart/form-data Body: {file: , upload_file: true} Response: {success: true, mediaInfo: {url: "...", id: "..."}} ``` ### Author ``` @author MangoX Development Team M3almi KING Kassem @version 2.0.0 ``` --- ## Interactions Platform (interactions.almayadeen.net) - **Title:** تفاعلات | الميادين (Interactions | Al Mayadeen) - **Stack:** Vue/React SPA - **Bundle size:** 3.9 MB JavaScript (index-BGpeaWyd.js) - **CSS:** 20 KB (index-DtQdRQRt.css) - Purpose: Likely audience engagement/interaction tracking platform --- ## Media Service (media.almayadeen.net) - **Server:** ASP.NET behind Cloudflare - **Default redirect:** `/image/default.png` on API paths - **HSTS:** max-age=2592000 (30 days) --- ## CRITICAL: Microsoft Exchange Server (autodiscover.almayadeen.net) ### Exchange Server Details ``` Server: Microsoft Exchange 2016 CU23 Version: 15.1.2507 IIS Version: 8.5 Frontend Server: BHS-EX09 Server IPs: 89.249.221.252, 80.81.152.37 (via mail.almayadeen.net CNAME) ``` ### Exposed Endpoints | Endpoint | Status | Purpose | |----------|--------|---------| | `/owa/` | 440 Login Timeout | Outlook Web Access | | `/owa/auth/logon.aspx` | 200 (58 KB) | OWA login page (full HTML) | | `/ecp/` | 302 → login | Exchange Control Panel (Admin) | | `/ews/exchange.asmx` | 401 | Exchange Web Services | | `/rpc/` | 401 | RPC over HTTP | | `/mapi/` | 401 | MAPI over HTTP | | `/autodiscover/` | 302 → OWA | Autodiscover service | - **OWA login page publicly accessible** — credential brute-force vector - **ECP admin panel accessible** — redirects to login (48 KB admin page) - **HTTP 440 is Exchange-specific** "Login Timeout" status code - **X-FEServer: BHS-EX09** reveals server naming convention (BHS = datacenter code) --- ## CRITICAL: Origin Server IPs (Leaked via SPF/DNS) ``` SPF Record: v=spf1 a mx ip4:80.81.152.41 ip4:89.249.221.244 -all 80.81.152.37 — mail (secondary) 80.81.152.41 — origin web server (SPF) 89.249.221.244 — origin web server + MX3 (SPF) 89.249.221.245 — FTP server 89.249.221.252 — mail (primary) + Exchange OWA 194.126.9.230 — MX1 (primary mail relay) ``` - All origin IPs firewalled (timeout from external) - .env files exist on all subdomains but Cloudflare WAF blocks (403) - **If origin IPs were directly accessible, all .env files would be exposed** --- ## CRITICAL: Subdomain Hijack — corona-form.almayadeen.net ``` Status: HIJACKED — redirects to nswpaintings.com.au (Australian painting website) Content: ``` - Subdomain taken over — JavaScript redirect injected - Either domain expired, DNS misconfigured, or compromised --- ## Full Subdomain Map (40 subdomains via crt.sh) ### LIVE Subdomains (14) | Subdomain | Status | Technology | Notes | |-----------|--------|------------|-------| | almayadeen.net | 200 | Cloudflare | Main site | | portal-api.almayadeen.net | 200 | MangoX Docker `94a743b785f9` | Production API | | portal-beta-api.almayadeen.net | 200 | MangoX Docker `57660472686f` | Beta API | | portal-staging-api.almayadeen.net | 200 | MangoX Docker `63d26ec15c1d` | **Staging API** | | public-api.almayadeen.net | 200 | MangoX Docker `cd4b3868f98b` | Public API | | public-api-staging.almayadeen.net | 200 | MangoX Docker `0314cab697ec` | **Public staging** | | public-api-beta.almayadeen.net | 200 | MangoX Docker `5b0c704d44be` | **Public beta** | | portal.almayadeen.net | 200 | Next.js (65 KB) | Portal frontend | | ai.almayadeen.net | 200 | Azure OpenAI | AI editor | | interactions.almayadeen.net | 200 | Vue/React SPA | Interactions (3.9 MB) | | media.almayadeen.net | 200 | ASP.NET | Media service | | next-ar.almayadeen.net | 200 | Next.js (26 KB) | Arabic Next.js | | next-en.almayadeen.net | 200 | Next.js (315 KB) | English Next.js | | autodiscover.almayadeen.net | 302 | Exchange 2016 | **OWA/ECP EXPOSED** | ### Partially Live (4) | Subdomain | Status | Notes | |-----------|--------|-------| | corona-form.almayadeen.net | 200 | **HIJACKED** — JS redirect to external site | | back.almayadeen.net | 404 | Server responds but no content | | react.almayadeen.net | 402 | **Vercel** — DEPLOYMENT_DISABLED | | media-en.almayadeen.net | 200 | Empty response (0 bytes) | ### Admin Panels (3) | Subdomain | Status | Notes | |-----------|--------|-------| | alpha-ar-admin.almayadeen.net | 302 | ASP.NET Core login | | alpha-en-admin.almayadeen.net | 302 | English admin | | admin.almayadeen.net | 301 | Redirects to alpha-ar-admin | ### Offline (19) api, admin-react, back-test, azure, cdnar, cdnmar, google, hubs, interactions-beta, keycdn, m, media-es, next, portal-api-staging, portal-beta, portal-prod, portal-staging, raven, team, www.mail --- ## 6 Docker Containers Mapped | Container ID | Subdomain | Environment | |-------------|-----------|-------------| | `94a743b785f9` | portal-api | Production | | `57660472686f` | portal-beta-api | Production | | `cd4b3868f98b` | public-api | Production | | `63d26ec15c1d` | portal-staging-api | **Staging** | | `0314cab697ec` | public-api-staging | **Staging** | | `5b0c704d44be` | public-api-beta | **Beta** | All 6 containers: MangoX Admin API v1.0.0.0, environment "Production" (even staging/beta marked as Production) --- ## Infrastructure Summary ``` Cloudflare CDN | ┌───────────────────┼───────────────────┐ | | | almayadeen.net *.almayadeen.net Origin Servers (Main Site) (40 subdomains) (firewalled) | | ┌────────┬──────┬────┴────┬──────┐ 80.81.152.x | | | | | 89.249.221.x ai.editor portal public interact mail/OWA (Azure) (MangoX) (MangoX) (SPA) (Exchange 2016) | | | BHS-EX09 Azure OpenAI 6 Docker Containers: 194.126.9.x mdn-gpt-4 prod/staging/beta (MX relay) ``` --- ## Data Dumped | File | Size | Contents | |------|------|----------| | almayadeen-ai-editor-full.html | 15 KB | Full AI editor with Azure OpenAI config + system prompt | | almayadeen-portal-api.html | 25 KB | Complete MangoX Portal API testing interface | | almayadeen-portal-beta.html | 25 KB | Beta API interface (identical) | | almayadeen-portal-script.js | 17 KB | Full CMS API client with all endpoints | | almayadeen-portal-upload.js | 2.5 KB | File upload module | | almayadeen-interactions.html | 658 B | Interactions app shell | | almayadeen-interactions-app.js | 3.9 MB | Full interactions app bundle | | almayadeen-interactions-app.css | 20 KB | Interactions styles | | almayadeen-health.json | 400 B | Health endpoint responses | | almayadeen-portal-logo.png | 47 KB | MangoX portal logo | | almayadeen-api-probe-results.txt | 5.7 KB | Full probe results | | almayadeen-admin-login.html | 3.8 KB | ASP.NET Core admin login | | almayadeen-backoffice.css | 116 KB | Full CMS backoffice stylesheet | | almayadeen-owa-login.html | 58 KB | **Exchange OWA login page** | | almayadeen-ecp-admin.html | 48 KB | **Exchange ECP admin page** | | almayadeen-dns-origin-ips.txt | 2 KB | Origin IP analysis | **Total: ~4.3 MB** --- ## Security Assessment | # | Finding | Severity | Detail | |---|---------|----------|--------| | 1 | **Exchange OWA/ECP exposed** | **CRITICAL** | OWA login + ECP admin at autodiscover.almayadeen.net | | 2 | **Origin IPs leaked via SPF** | **CRITICAL** | 5 IPs across 3 ranges exposed in DNS records | | 3 | **.env files exist on all subdomains** | **HIGH** | Blocked by WAF — accessible if origin reached directly | | 4 | **Subdomain hijacked (corona-form)** | **HIGH** | JS redirect to Australian website | | 5 | Azure OpenAI endpoint exposed | HIGH | API URL and deployment name in client JS | | 6 | 6 Docker containers leaked | HIGH | All 6 container IDs via /health endpoints | | 7 | CMS API testing interface in production | HIGH | Login form + full API docs exposed publicly | | 8 | MangoX login processes auth attempts | MEDIUM | Brute-force vector on all API subdomains | | 9 | CORS `*` on AI editor | MEDIUM | Any origin can make requests | | 10 | Exchange server name leaked (BHS-EX09) | MEDIUM | Reveals datacenter naming convention | | 11 | Vercel deployment disabled (react) | LOW | Abandoned Vercel deployment | | 12 | Subscription code hardcoded | LOW | `mangopulse` in client-side JavaScript | | 13 | Developer identity in source | LOW | "M3almi KING Kassem" | --- *Collected: Feb 28, 2026 — Updated with subdomain discovery, Exchange, origin IPs*