Last week a friend showed me something that questioned his mind while he was looking for some information on the Mauritius Network Services website. He came across this « downloads » folder that listed a bunch of files, some of which that appeared suspicious.
Mauritius Network Services - Web Security Practices
Already having "Directory Listing" (Options +Indexes) enabled in Apache isn't recommended.
Among the files one would find several PDF documents that trigger no alarm but the presence of
decomp.sql made me wonder.
Why should that file be accessible from the Internet? Its content appears as follows:
UPDATE T_HS_DUTAX SET DT_ORDER = 15 WHERE HS_CODE IN ('84211210', '84211290') AND DUTAX_CODE = '07'; DELETE FROM T_HS_ATTDOC WHERE HS_CODE = '16041300' AND ATTDOC_CODE = 'P01'; COMMIT; DISCONNECT ALL; EXIT;
In the past I wrote about various practices as employed by MNS and I also had a few emails to & fro (MNS) while I copied some of those discussions to the Mauritius Internet Users mailing list. The aim was to question the practices and highlight its dangers.
As it appears from the contents of this « downloads » folder, I could still question the practices of MNS.
There is one
BUDGETJAN2014.EXE file which I scanned using VirusTotal and the result was as follows:
Based on the above, could mns.mu be hosting infected files? I leave the full investigation to Internet users making use of the website.
More info regarding the detected trojan can be found here, Virus Profile: Artemis!10A4D2BC47D8
An Internet user on the Mauritius Internet Users mailing list confirmed the presence of Malware in at least four executable files (.exe). I therefore flag this as a security incident and emailed CERT-MU.