# MASTER OSINT REPORT — Mexican .git Exposure Campaign **Date:** 2026-02-20 **Analyst Notes:** Three Mexican domains found with exposed `.git/` directories on production webservers. All three were dumped using git-dumper via Python 3.13. Full file extraction completed on uaem.mx (11,605 files, including hardcoded database and email credentials). --- ## Executive Summary Three exposed `.git/` directories were identified and extracted from Mexican websites spanning private media, state law enforcement, and public education. Combined findings reveal systemic security failures: manual root-level git deployments, absent security tooling, leaked internal infrastructure details, exposed developer identities, **hardcoded production database credentials**, and **SMTP email credentials** — all recovered directly from source code. | # | Domain | Sector | Data Recovered | Size | Key Finding | |---|--------|--------|----------------|------|-------------| | 1 | **mvs.com** | Private media conglomerate | Full source code (complete checkout) | 13 MB | Bitbucket workspace `mvsradio`, employee + contractor PII | | 2 | **fiscalia.durango.gob.mx** | State prosecutor's office | Git metadata only (objects 404'd) | 669 KB | Internal Git server IP `10.1.4.194:8085`, 24-agency platform | | 3 | **uaem.mx** | Public university | **11,605 files extracted from packs** | 960 MB | **Hardcoded MySQL + SMTP credentials**, payroll data, staff directories, student PII database | --- ## Local File Locations | Target | Local Path | |--------|-----------| | MVS Report | `C:\Users\Squir\Desktop\MEXICO\V A U L T\OSINT Reports\01-MVS-COM.md` | | MVS Raw Data | `C:\Users\Squir\Desktop\MEXICO\V A U L T\mvs.com\` | | Fiscalia Report | `C:\Users\Squir\Desktop\MEXICO\V A U L T\OSINT Reports\02-FISCALIA-DURANGO.md` | | Fiscalia Raw Data | `C:\Users\Squir\Desktop\MEXICO\V A U L T\fiscalia.durango.gob.mx\` | | UAEM Report | `C:\Users\Squir\Desktop\MEXICO\V A U L T\OSINT Reports\03-UAEM-MX.md` | | UAEM Raw Data | `C:\Users\Squir\Desktop\MEXICO\V A U L T\uaem.mx\` | | **Credentials Master** | `C:\Users\Squir\Desktop\MEXICO\V A U L T\OSINT Reports\04-CREDENTIALS.md` | | This Report | `C:\Users\Squir\Desktop\MEXICO\V A U L T\OSINT Reports\00-MASTER-REPORT.md` | --- ## Personnel Identified (All Targets) | Name | Email | Organization | Platform | Role | |------|-------|-------------|----------|------| | Alfredo Gonzalez | `agonzalez@mvs.com` | Grupo MVS | Bitbucket (`agonzalez_`) | Internal DevOps, deployer | | Noe/Alan Olvera | `olvera.alan@gmail.com` | Contractor for MVS | Bitbucket | Frontend developer | | Alejandro Paredes | *(no email recovered)* | Durango State Gov | Gitea (`Alejandro.paredes`), GitLab (`devgob`) | Lead dev, root access | | Rafael Fragoso | `rafael.fragoso@uaem.mx` | UAEM University | GitHub (`norgoth`), alias `GGakko` | Lead dev, root access | ### Additional Institutional Emails (uaem.mx — from source code) | Email | System | Purpose | |-------|--------|---------| | `constancias.facdisenio@uaem.mx` | SMTP sender (Gmail relay) | Automated certificate request emails | | `sescolaresdiseno@uaem.mx` | Certificate system recipient | School services office for Faculty of Design | --- ## Credentials Recovered **See full credentials report:** `04-CREDENTIALS.md` ### Summary | Target | Type | Host | Username | Password | Database/Service | |--------|------|------|----------|----------|-----------------| | **uaem.mx** | MySQL (PDO) | `www.uaem.mx` | `facdisenousr` | `LXN*j@9nmVmN` | `consfacdiseno` | | **uaem.mx** | SMTP (Gmail) | `smtp.gmail.com:465` | `constancias.facdisenio@uaem.mx` | `Cons_facDisenio9102` | Google Workspace | ### Credentials Known to Exist (Not Recovered) | Target | Item | Status | |--------|------|--------| | uaem.mx | `html/cedulas/.env` | On server, excluded from git — likely contains Laravel DB credentials | | uaem.mx | `titulos-uaem/.env` | On server (vim swap file leaked) — degree system secrets | | uaem.mx | `.bash_history` | On server — may contain credentials typed in CLI | | uaem.mx | `.ssh/` directory | On server — SSH private keys | | fiscalia | `wp-config.php` | On server, excluded from git — WordPress DB credentials | | mvs.com | None | No backend, pure static site | --- ## Infrastructure Discovered ### Code Hosting Platforms | Platform | Workspace/Group | Repo | Domain | |----------|----------------|------|--------| | Bitbucket | `mvsradio` | `grupo_mvs_v2_landing` | mvs.com | | GitLab | `devgob` | `mw-red-de-sitios` | fiscalia.durango.gob.mx | | GitHub | `norgoth` | `uaem2023` | uaem.mx | ### Internal Infrastructure | IP/Host | Port | Service | Source | |---------|------|---------|--------| | `10.1.4.194` | 8085 | Gitea/Gogs (internal Git) | fiscalia.durango.gob.mx .git/config | | `webdurangonuevo.(none)` | — | Production webserver (no FQDN) | fiscalia reflog | | `www.uaem.mx` | 3306 | MySQL (production) | uaem.mx source code | | `smtp.gmail.com` | 465 | Google Workspace email relay | uaem.mx source code | ### All Repos Are Private All three upstream repositories (GitHub, GitLab, Bitbucket) are private. The data was recovered exclusively from the exposed `.git/` directories on the production webservers, not from the hosting platforms. --- ## Common Vulnerability Pattern All three targets share the same root cause and deployment anti-pattern: ``` Developer runs: git clone /var/www/html/ Developer runs: git pull (repeatedly, to "deploy") Result: .git/ directory is publicly accessible via HTTPS ``` | Vulnerability | mvs.com | fiscalia | uaem.mx | |--------------|---------|----------|---------| | `.git/` exposed | YES | YES | YES | | Deployed as root | Unknown | YES | YES | | No CI/CD (manual pull) | YES | YES | YES | | No `.git/` access restriction | YES | YES | YES | | No security plugins/WAF | YES (static) | YES | Unknown | | **Hardcoded credentials in source** | NO | NO | **YES** (MySQL + SMTP) | | Config/secrets in git | NO | NO (.gitignore) | YES (credentials in PHP files) | | Internal IPs leaked | NO | YES (10.1.4.194) | NO | --- ## Technology Stack Comparison | Feature | mvs.com | fiscalia.durango.gob.mx | uaem.mx | |---------|---------|------------------------|---------| | Type | Static HTML | WordPress | Custom PHP + Laravel 8 | | Backend | None | PHP/WordPress | PHP/Laravel + legacy PHP apps | | Database | None | MySQL (via WP) | MySQL (`consfacdiseno` — creds recovered) | | Email | None | Unknown | Google Workspace (SMTP creds recovered) | | Framework | jQuery 3.6.0 | WordPress + AngularJS (SGG) | Laravel 8 + PHPMailer + custom PHP | | Plugins | None | RevSlider, Akismet, etc. | PHPMailer, Font Awesome 4.1.0 | | Files tracked | 13 | 5,028 | 15,177 | | Files extracted | 13 (100%) | 0 (metadata only) | 11,605 (76%) | | Complexity | Landing page | Multi-site gov platform | Full university portal | --- ## Sensitive Systems Identified ### Payment Processing - **uaem.mx:** `html/pagos/` — payment system on same server as public website ### Electronic Voting - **uaem.mx:** `html/votoelectronico/` — electronic voting system co-located ### Law Enforcement - **fiscalia.durango.gob.mx:** Criminal prosecution agency, 24 state government sites on one platform ### Personnel/Financial Data - **uaem.mx:** Payroll data recovered — exact biweekly totals exceeding **$60M MXN per pay period** across all employee categories (2019 data in JS chart files) - **uaem.mx:** Staff directory spreadsheets recovered — `personal.xlsx`, `personal-2018.xlsx`, IT phone directory (119 KB) - **uaem.mx:** Student PII database — `SOLICITUD_CONSTANCIAS` table stores full names, emails, student IDs, grades - **fiscalia:** Government accounting data (`lgcg.php` — 164 KB) ### Credentials & Secrets #### RECOVERED (in hand) | Target | Type | Credential | |--------|------|-----------| | uaem.mx | MySQL production DB | `facdisenousr` : `LXN*j@9nmVmN` → database `consfacdiseno` | | uaem.mx | SMTP / Gmail | `constancias.facdisenio@uaem.mx` : `Cons_facDisenio9102` | #### KNOWN TO EXIST (not recovered — on server, excluded from git) | Target | Item | Status | |--------|------|--------| | uaem.mx | `html/cedulas/.env` | Laravel secrets | | uaem.mx | `titulos-uaem/.env` | Degree system secrets | | uaem.mx | `.bash_history` | Command history | | uaem.mx | `.ssh/` directory | SSH keys | | fiscalia | `wp-config.php` | WordPress DB credentials | --- ## Domain & URL Intelligence ### mvs.com — 30+ domains/URLs identified Full corporate web presence mapped including MVS Radio, MVS TV, MVS Capital, Dish Mexico, CMR restaurants (13 brands), 3 foundations, 2 Facebook page IDs. See individual report for complete list. ### fiscalia.durango.gob.mx — 24 government agencies mapped Complete theme structure reveals the Durango state government web platform serving prosecutor's office, health, education, environment, public security, transportation, tourism, child welfare, labor, agriculture, civil protection, property registry, and more. ### uaem.mx — Full university structure mapped 11,605 files extracted revealing admissions, dozens of graduate programs, research centers, institutional organization, student services, media/communications, language centers, administrative structure, certificate request system, financial indicators, and chatbot application. --- ## Recovery Status | Target | Status | Files | Credentials | |--------|--------|-------|-------------| | mvs.com | **COMPLETE** — full source, full history | 13 files (100%) | None (static site) | | fiscalia | **PARTIAL** — metadata only, objects 404'd | 0 source files | None recovered (wp-config.php exists on server) | | uaem.mx | **NEAR-COMPLETE** — 11,605 of 15,177 files | 11,605 files (76%) | **2 credential sets recovered** | ### What's Still Potentially Recoverable 1. **uaem.mx:** Remaining 3,572 files (mostly images/SVG) — some blobs missing from packs 2. **uaem.mx:** `.env` files via direct URL access (`https://www.uaem.mx/cedulas/.env`, etc.) 3. **uaem.mx:** `.bash_history` and `.ssh/` via direct URL access 4. **fiscalia:** Source code if git objects become accessible; `wp-config.php` via direct URL 5. **All three:** Monitor for `.git/` directory removal (indicates detection) --- ## Tools & Methods Used | Tool | Version | Purpose | |------|---------|---------| | git-dumper | 1.0.8 | .git/ directory extraction from webservers | | Python | 3.13.3 | Runtime (3.14 alpha caused segfaults with dulwich) | | git | (system) | Pack verification, log analysis, file enumeration, checkout | | git checkout -f | — | Force checkout of 11,605 files from reconstructed pack data | | curl | (system) | Redirect detection (uaem.mx -> www.uaem.mx) | **Note:** Python 3.14 alpha (installed as system default) causes segfaults in dulwich/git-dumper. Always use Python 3.13 executable at `C:\Users\Squir\AppData\Local\Programs\Python\Python313\Scripts\git-dumper.exe`. --- *Generated 2026-02-20. All data extracted from publicly exposed .git/ directories on production webservers. Updated with credential findings from full source extraction.*