# OSINT Report: fiscalia.durango.gob.mx — Fiscalia General del Estado de Durango **Date:** 2026-02-20 **Source:** Exposed `.git/` directory on production webserver at `https://fiscalia.durango.gob.mx/.git/` **Recovery Method:** git-dumper (Python 3.13) **Local Path:** `C:\Users\Squir\Desktop\MEXICO\V A U L T\fiscalia.durango.gob.mx\` **Status:** Partial recovery — git metadata only (669 KB). Object blobs returned 404. --- ## 1. Target Overview The **Fiscalia General del Estado de Durango** is the State Attorney General / Prosecutor's Office for the state of Durango, Mexico. Government law enforcement agency responsible for criminal investigations and prosecution. --- ## 2. Repository Identity | Field | Value | |-------|-------| | Repo name | `mw-red-de-sitios` ("MW Network of Sites") | | Public remote (origin) | `https://gitlab.com/devgob/mw-red-de-sitios.git` | | Internal remote (repoasac) | `http://10.1.4.194:8085/Alejandro.paredes/mw-red-de-sitios.git` | | GitLab group | `devgob` (likely "Desarrollo del Gobierno" — Government Development) | | Branch | `master` (production), fetched from `prod` branch | | HEAD commit | `0b587c851c0045a443413349ccdbe6f70f72f8c0` | --- ## 3. Personnel Identified ### Alejandro Paredes (Lead Developer / Sysadmin) | Field | Value | |-------|-------| | Full name | Alejandro Paredes | | Internal Gitea username | `Alejandro.paredes` | | GitLab group | `devgob` | | Role | Lead developer & system administrator for entire Durango state government web platform | | Access level | Root SSH access to production server | | Internal repo | `http://10.1.4.194:8085/Alejandro.paredes/mw-red-de-sitios.git` | ### Server Identity | Field | Value | |-------|-------| | Hostname | `webdurangonuevo` ("new Durango web server") | | OS user | `root` (deployed as root — critical security issue) | | Domain suffix | `(none)` — no FQDN configured | | Git identity | `root ` | --- ## 4. Infrastructure Map ``` EXTERNAL (Internet-facing): fiscalia.durango.gob.mx - WordPress installation - Exposed: /.git/ directory - Exposed: /xmlrpc.php (XML-RPC attack surface) - Exposed: /wp-login.php INTERNAL NETWORK (10.1.4.0/24 — government LAN/data center): 10.1.4.194:8085 - Internal Gitea/Gogs server (port 8085) - Remote name: "repoasac" (organizational acronym) - Repo: Alejandro.paredes/mw-red-de-sitios - Branch: "prod" = deployed production code PUBLIC CODE HOST: https://gitlab.com/devgob/mw-red-de-sitios (private repo) GitLab group: devgob ``` --- ## 5. Deployment Details From `.git/logs/HEAD`: ``` root 1727738427 +0000 reset: moving to origin/prod ``` - **Timestamp:** September 30, 2024, 23:20:27 UTC (Monday night) - **Method:** `git reset --hard origin/prod` — forced hard reset - **All 5,028 files written within a 2-second window** (23:20:25-27 UTC) - Single atomic deployment event — manual, not automated --- ## 6. Technology Stack **CMS:** WordPress (full core) - Language: Spanish (Mexico) — `es_MX` locale - WP version: Likely 5.x or early 6.x (959-byte `version.php`) **Plugins:** | Plugin | Risk Level | Notes | |--------|------------|-------| | `revslider` (Slider Revolution) | **HIGH** | CVE-2022-0441 (auth bypass, CVSS 9.8), CVE-2014-9734 | | `akismet` | Low | Standard spam filter | | `lightbox-photoswipe` | Low | Image lightbox | | `safe-svg` | Low | SVG sanitization | | `hello.php` | None | Default WP stub | **Notable absences:** No security plugins (no Wordfence, Sucuri, iThemes), no backup plugins, no caching plugins, no 2FA plugin. --- ## 7. Multi-Site Platform — 24 State Government Agencies This repository serves as the **template base for the entire Durango state government web presence**. 24 custom WordPress themes identified: | Theme | State Agency | |-------|-------------| | `mw-fiscalia` | **Fiscalia General del Estado** (THIS SITE) | | `mw-bienestarsocial` | Secretaria de Bienestar Social | | `mw-blindaje` | Security/hardening variant theme | | `mw-dependencia` | Generic government dependency template | | `mw-dif` | DIF — Desarrollo Integral de la Familia | | `mw-educacion` | Secretaria de Educacion | | `mw-idj` | Instituto Duranguense de la Juventud | | `mw-iemujer` | Instituto Electoral y de Participacion Ciudadana | | `mw-indem` | Instituto del Deporte | | `mw-medioambiente` | Secretaria de Medio Ambiente | | `mw-proteccioncivil` | Proteccion Civil | | `mw-rpp` | Registro Publico de la Propiedad | | `mw-sagdr` | Secretaria de Agricultura y Desarrollo Rural | | `mw-salud` | Secretaria de Salud | | `mw-secoed` | Secretaria de Competitividad y Desarrollo Economico | | `mw-secope` | (Unidentified secretariat) | | `mw-sedeco` | Secretaria de Desarrollo Economico | | `mw-sgg` | Secretaria General de Gobierno | | `mw-sgg-blindaje` | SGG variant with hardening | | `mw-sipinna` | Proteccion Integral de Ninas, Ninos y Adolescentes | | `mw-ssp` | Secretaria de Seguridad Publica | | `mw-trabajo` | Secretaria del Trabajo | | `mw-transportes` | Secretaria de Transportes | | `mw-turismo` | Secretaria de Turismo | **Critical implication:** Compromising this single server/repo could affect 20+ state government websites simultaneously. --- ## 8. .gitignore Analysis ``` wp-config.php wp-content/uploads .htaccess ``` - `wp-config.php` — DB credentials exist on disk but were never committed - `wp-content/uploads` — user media excluded - `.htaccess` — Apache config excluded (may contain security rules) --- ## 9. Notable Files (from git index — 5,028 total) | File | Size | Significance | |------|------|-------------| | `wp-content/themes/mw-dif/lgcg.php` | 164 KB | Unusually large — possibly government accounting law data renderer | | `wp-content/themes/mw-dif/soon.php` | 105 KB | Massive "coming soon" page — suspicious size | | `wp-content/themes/mw-salud/ifiscal.php` | 96 KB | Fiscal/financial data in health secretariat theme | | `wp-content/themes/mw-sgg/app/angular.min.js` | 167 KB | AngularJS app for official government gazette | | `.DS_Store` | — | macOS metadata — developer uses Mac | | `wp-content/plugins/revslider/` | — | Slider Revolution (historically exploited) | --- ## 10. Security Assessment | Risk | Severity | Detail | |------|----------|--------| | `.git/` directory publicly accessible | **Critical** | Enabled this entire intel extraction | | Deployed as `root` | **Critical** | Production server operated by root user | | `xmlrpc.php` present | **High** | Remote code execution vector if not blocked | | RevSlider installed | **High** | Multiple known CVEs (CVSS 9.8) | | No security plugins | **High** | No WAF, login protection, or monitoring | | Internal IP `10.1.4.194` exposed | **Medium** | Internal Git server IP and port leaked | | Single point of failure | **High** | 24 government sites on one platform | | No FQDN on server | **Low** | `hostname` not properly configured | --- ## 11. Operational Timeline | Date (UTC) | Event | |------------|-------| | 2024-09-30 23:20:25 | WordPress core files written to disk | | 2024-09-30 23:20:26 | Custom theme files deployed | | 2024-09-30 23:20:27 | `git reset --hard origin/prod` by root@webdurangonuevo | --- ## 12. SHA1 References for Key Files | File | SHA1 | Size | |------|------|------| | `.gitignore` | `6fcc698e4467a24ba2fa52ec35746842be7f3dea` | 42 B | | `wp-includes/version.php` | `90d64dfbe7011711c2515b8c7ee74854b9ad04a1` | 959 B | | `revslider/revslider.php` | `c605b4877a91d96611ed3579ce0121ed64eeca82` | 10,361 B | | `mw-fiscalia/style.css` | `14d5468761a7f385d697db555cb895880f7d9a56` | 595 B | | `mw-fiscalia/functions.php` | `4ffe7f28be4da86f3561721ff485ef1dba442d39` | 435 B | | `mw-dif/lgcg.php` | `f58d6901fc76337ea5a57407ae1cdcdf0803cb7d` | 164,908 B | | `mw-blindaje/mweb_functions.php` | `81119318196d10b01bd98bb56fed017677342a2b` | 19,321 B |