Infected files on mns.mu?

Last week a friend showed me something that questioned his mind while he was looking for some information on the Mauritius Network Services website. He came across this « downloads » folder that listed a bunch of files, some of which that appeared suspicious.

mns-mu-downloads_fullsize

Directory listing at mns.mu/downloads

Mauritius Network Services - Web Security Practices

Already having "Directory Listing" (Options +Indexes) enabled in Apache isn't recommended.

Among the files one would find several PDF documents that trigger no alarm but the presence of decomp.sql made me wonder.

mns-mu-sql

Why should that file be accessible from the Internet? Its content appears as follows:

UPDATE T_HS_DUTAX SET DT_ORDER = 15 WHERE HS_CODE IN  ('84211210', '84211290') AND DUTAX_CODE = '07';

DELETE FROM T_HS_ATTDOC WHERE HS_CODE = '16041300' AND ATTDOC_CODE = 'P01';

COMMIT;

DISCONNECT ALL;

EXIT;

In the past I wrote about various practices as employed by MNS and I also had a few emails to & fro (MNS) while I copied some of those discussions to the Mauritius Internet Users mailing list. The aim was to question the practices and highlight its dangers.

As it appears from the contents of this « downloads » folder, I could still question the practices of MNS.

There is one BUDGETJAN2014.EXE file which I scanned using VirusTotal and the result was as follows:

mns-mu-file-scan-results

Based on the above, could mns.mu be hosting infected files? I leave the full investigation to Internet users making use of the website.


More info regarding the detected trojan can be found here, Virus Profile: Artemis!10A4D2BC47D8


Update #1

An Internet user on the Mauritius Internet Users mailing list confirmed the presence of Malware in at least four executable files (.exe). I therefore flag this as a security incident and emailed CERT-MU.


Share this post