Mexican Vault — OSINT Analysis Report

01

Executive Summary

What This Is

A 2.1 GB collection of files produced by a systematic reconnaissance campaign against Mexican critical infrastructure. An operator using the handle "Squir" (tools credited to "Ringmast4r & Tikket1") scanned 570 Mexican domains for exposed .git/ directories on 2026-02-20, found 3 vulnerable targets, and extracted source code, credentials, and internal infrastructure data.

The Three Targets

uaem.mx — Universidad Autónoma del Estado de Morelos (public university). Full extraction: 11,605 files, 960 MB, 6 credentials, payroll data, student PII schema.

fiscalia.durango.gob.mx — Durango State Attorney General. Partial extraction: metadata only (669 KB). Exposed internal network IP, 24-agency WordPress multisite.

mvs.com — Grupo MVS (media conglomerate). Full extraction: 13 MB static landing page, developer identities, corporate URL directory.

Operator Profile

Windows user: C:\Users\Squir\Desktop\MEXICO\

Tool: Custom Go-based .git scanner called "HUNTR"

Extraction: git-dumper (Python 3.13)

Viewer: Custom HTML/JS SQLite browser (sql.js)

Scan date: 2026-02-20 (07:04–16:33, 9.5 hours)

Reports: 4 structured MD files compiled same day

02

Recovered Credentials

#	Type	Host	Username	Password / Key	Source File	Severity
1	MySQL (PDO)	www.uaem.mx:3306	facdisenousr	LXN*j@9nmVmN	ConexionMySQL.php	Critical
2	SMTP / Gmail	smtp.gmail.com:465	[email protected]	Cons_facDisenio9102	EnviarCorreoModel.php (Diseno)	Critical
3	SMTP / Gmail	smtp.gmail.com:465	[email protected]	Ventanill4FCQ31	EnviarCorreoModel.php (FCQEI)	Critical
4	Dashboard Login	uaem.mx/indicadores-sistemas	(shared password)	UaeM2019*	validar.php	High
5	Laravel Admin	uaem.mx (CMS)	[email protected]	123456 (if unchanged from seeder)	AdminUserSeeder.php	High
6	OpenAI API Key	api.openai.com	—	sk-NNGK5KZfLDSF5aXh...vl79	main.*.js (14 bundles)	Critical

The operator's 04-CREDENTIALS.md report only documented credentials #1 and #2. Credentials #3–#6 were discovered during our reconstruction of the full git repository.

Credentials Known to Exist (Not Recovered)

File	Target	Evidence	Likely Contents
html/cedulas/.env	uaem.mx	Listed in .gitignore	Laravel app key, DB credentials for cedula/license system
titulos-uaem/.env	uaem.mx	Vim swap file in .gitignore	Secrets for degree generation system (APP_NAME=Titulos UAEM)
.bash_history	uaem.mx	Listed in .gitignore	Shell command history — may contain passwords, SSH commands
.ssh/	uaem.mx	Listed in .gitignore	SSH private keys for server access
wp-config.php	fiscalia.durango.gob.mx	Listed in .gitignore	WordPress DB host, name, user, password, auth keys

03

Target: uaem.mx — Universidad Autónoma del Estado de Morelos

Extraction Summary

Status: Full source code recovered

Files extracted: 11,605 (from 15,177 tracked)

Size on disk: ~960 MB (3.1 GB reconstructed)

Pack files: 30+ totaling 1.7 GB

Git commits: ~8,500

Active period: Nov 2022 — Oct 2025

Repository: github.com/norgoth/uaem2023 (private)

Framework: PHP + Laravel 8 + MySQL + Apache

Developer Team (9 Contributors)

Commits	Author	Email
3,870	root (Rafael Fragoso)	[email protected]
2,207	Alan Martinez	[email protected]
552	armoralesricardo	[email protected]
531	Roxandesanz	[email protected]
329	GGakko	[email protected]
296	Amy Malavar	[email protected]
198	AreAlarcon	GitHub noreply
133	Alouaem	GitHub noreply
93	JelsyUribe	[email protected]

Sensitive Data Recovered from UAEM

Category	Detail	Severity
MySQL credentials (hardcoded)	`facdisenousr` / `LXN*j@9nmVmN` @ `www.uaem.mx` / `consfacdiseno`	Critical
SMTP credentials x2 (hardcoded)	Two Gmail passwords for certificate systems	Critical
OpenAI API key (client-side JS)	`sk-NNGK5K...` in 14 React bundles	Critical
Student PII database schema	Names, emails, IDs, grades in SOLICITUD_CONSTANCIAS table	Critical
.git/ directory exposed (1.7 GB)	Entire repo history downloadable	Critical
Deployed as root	All 550+ deployments run as root user	Critical
.env files on disk	`html/cedulas/.env` and `titulos-uaem/.env`	Critical
.ssh/ directory on server	SSH keys potentially accessible via URL	Critical
Payroll data (2019)	Biweekly totals: $60M+ MXN/period across all categories	High
Staff directories	personal.xlsx, personal-2018.xlsx, IT phone directory (119 KB)	High
Dashboard password	`UaeM2019*` for financial indicators	High
Laravel admin seeder	`[email protected]` / `123456`	High
TestConexion.php exposed	Echoes DB connection object as JSON	High
Co-located critical systems	Payments, voting, student records, degrees on one server	High
RevSlider 6.6.15	CVE-2022-0441 (CVSS 9.8 auth bypass)	High
Production server path	`/var/www/uaem/laravel/`	Medium
Google tracking IDs	GTM-PCWS2ZV, UA-38920403-1	Low

Payroll Data Sample (Unionized Staff, Catorcena 1, 2019)

Category	Amount (MXN)
Base (permanent)	$8,086,711.60
Eventual (temporary)	$804,802.91
Jubilado (retired)	$1,734,712.16
Pensionado (pensioned)	$21,243.22

Payroll Data Sample (Trust/Faculty Staff, Catorcena 1, 2019)

Category	Amount (MXN)
Docente (faculty)	$32,846,691.71
Académica de Confianza	$5,438,879.30
Confianza (trust)	$4,402,355.70
Jubilado (retired)	$8,032,888.51

UAEM Server Directory Structure

www.uaem.mx
├── html/
│   ├── admision-y-oferta/            Admissions portal
│   ├── cedulas/                      Professional license system (Laravel, .env on disk)
│   ├── chatbot/                      React AI chatbot (OpenAI key exposed)
│   ├── constancias-diseno/           Certificate system Fac. Diseno (MySQL + SMTP creds)
│   ├── ventanilla-virtual-fcqei/     Certificate system FCQEI (2nd SMTP creds)
│   ├── directorio/                   Staff directories + phone spreadsheets
│   ├── indicadores-sistemas/         Financial dashboard (shared password)
│   ├── informacion-financiera/       Financial statements 2018-2025
│   ├── organizacion-institucional/   Org chart, payroll, HR, personnel
│   │   └── tesoreria-general/dir-de-personal/nominas/  Payroll data
│   ├── pagos/                        Payment processing (gitignored)
│   ├── votoelectronico/              Electronic voting system
│   ├── estudiantes-y-egresados/      Student & alumni services
│   ├── transparencia/                Government transparency portal
│   ├── contraloria-social/           Social comptroller
│   └── [40+ more subdirectories]
├── laravel8/                         Laravel 8 CMS backend
│   ├── app/
│   ├── database/seeders/             AdminUserSeeder.php (admin creds)
│   └── resources/views/
├── titulos-uaem/                     Degree generation system (.env on disk)
├── config.php                        Template path config
└── .gitignore                        218 lines revealing full structure

04

Target: fiscalia.durango.gob.mx — Durango State Attorney General

Extraction Summary

Status: Partial — git metadata only (669 KB)

Object blobs: All returned HTTP 404

Repository: gitlab.com/devgob/mw-red-de-sitios (private)

CMS: WordPress (es_MX)

Files tracked: 5,028

Deployed: 2024-09-30 via git reset --hard origin/prod as root

Infrastructure Exposed

External (Internet)

fiscalia.durango.gob.mx

WordPress + exposed /.git/

xmlrpc.php + wp-login.php accessible

Internal Network (10.1.4.0/24)

10.1.4.194:8085

Gitea/Gogs server

User: Alejandro.paredes

Public Code

gitlab.com/devgob/mw-red-de-sitios (private)

24 State Government Agencies on One WordPress Install

Theme	Agency
mw-fiscalia	Fiscalía General del Estado (this site)
mw-ssp	Secretaría de Seguridad Pública (State Police)
mw-dif	DIF — Desarrollo Integral de la Familia
mw-salud	Secretaría de Salud
mw-educacion	Secretaría de Educación
mw-sgg	Secretaría General de Gobierno
mw-medioambiente	Secretaría de Medio Ambiente
mw-turismo	Secretaría de Turismo
mw-trabajo	Secretaría del Trabajo
mw-transportes	Secretaría de Transportes
mw-proteccioncivil	Protección Civil
mw-bienestarsocial	Secretaría de Bienestar Social
mw-sedeco	Secretaría de Desarrollo Económico
mw-secoed	Sec. de Competitividad y Desarrollo
mw-sagdr	Sec. de Agricultura y Desarrollo Rural
mw-iemujer	Instituto Electoral y Part. Ciudadana
mw-idj	Instituto Duranguense de la Juventud
mw-indem	Instituto del Deporte
mw-rpp	Registro Público de la Propiedad
mw-sipinna	Protección de Niñas, Niños y Adolescentes
mw-blindaje	Security/hardening variant
mw-sgg-blindaje	SGG hardening variant
mw-dependencia	Generic government template
mw-secope	(Unidentified secretariat)

A single compromise of this repository/server would affect the entire Durango state government web presence.

05

Target: mvs.com — Grupo MVS (Media Conglomerate)

Extraction Summary

Status: Full source code recovered (13 MB)

Type: Static HTML/CSS/JS landing page

Repository: bitbucket.org/mvsradio/grupo_mvs_v2_landing

Commits: 14 (Mar 13 – Apr 13, 2023)

No credentials found (no backend)

Personnel Identified

Alfredo Gonzalez — [email protected] (MVS employee, DevOps)

Noe/Alan Olvera — [email protected] (freelance contractor)

Bitbucket workspace: mvsradio (may contain other repos)

MVS Corporate URL Directory (Extracted from Source)

MVS Properties

mvscapital.com.mx

mvstv.com

mvsradio.com

mvseducacion.com

mvsentretenimiento.com

mvsideas.com

CMR Restaurants

wings.com.mx | nube7.mx | matildbistro.mx

delbosquerestaurante.com.mx

bistrochapultepec.com | lago.com.mx

thecapitalgrille.com.mx

chilis.com.mx | redlobster.com.mx

olivegardenmexico.com.mx | sushi-itto.com.mx

Dish Mexico

dish.com.mx | octopusmx.com

oninternet.com.mx | fpop.com.mx

Foundations

fundaciondish.org

fundacioncmr.org

fundacionmvsradio.org

06

Scan Campaign — 570 Mexican Domains

Federal Government

103

Presidency, ministries, SAT, IMSS, ISSSTE, autonomous bodies

Education

81

UNAM, IPN, 35 state universities, 27 CONAHCYT research centers

Municipalities

42

Guadalajara, Monterrey, Tijuana, Cancún, 38 more

State Governments

32

All 32 states including CDMX

Media

31

Televisa, TV Azteca, El Universal, Reforma, Milenio

Healthcare

28

National institutes, specialty hospitals, IMSS

Law Enforcement

24

FGR, all state prosecutors, CDMX police

Financial

21

Banxico, BMV, BBVA, Banamex, Banorte, HSBC

Energy & Nuclear

19

PEMEX, CFE (all subsidiaries), ININ (nuclear)

Infrastructure

19

AICM, Tren Maya, CAPUFE, ports, railways

Military & Intel

15

SEDENA, SEMAR, Guardia Nacional, CNI, CISEN

CDMX Agencies

14

Metro, Metrobús, SACMEX, finanzas, salud

Judiciary

19

SCJN, CJF, TEPJF, state tribunals

Other

122

Telecom, e-commerce, political parties, NGOs, sports, culture, electoral, consular

Of 570 domains scanned, only 3 (0.53%) had exposed .git/config files. The scan ran for 9.5 hours on 2026-02-20 from C:\Users\Squir\Desktop\MEXICO\.

07

All Identified Personnel

Name	Email	Platform	Handle	Organization	Role
Rafael Fragoso	[email protected]	GitHub	norgoth / GGakko	UAEM	Lead dev, sysadmin, sole deployer
Alan Martinez	[email protected]	GitHub	—	UAEM	Developer (2,207 commits)
Ricardo Morales	[email protected]	GitHub	—	UAEM	Developer (552 commits)
Roxana Sánchez	[email protected]	GitHub	Roxandesanz	UAEM	Developer (531 commits)
Amy Malavar	[email protected]	GitHub	—	UAEM	Developer (296 commits, latest Oct 2025)
Jelsy Uribe	[email protected]	GitHub	JelsyUribe	UAEM	Developer (93 commits)
Alfredo Gonzalez	[email protected]	Bitbucket	agonzalez_	Grupo MVS	DevOps, web deployer
Noe/Alan Olvera	[email protected]	Bitbucket	—	MVS (contractor)	Frontend developer
Alejandro Paredes	—	GitLab / Gitea	Alejandro.paredes	Durango State Gov	Lead dev / sysadmin
Dr. Alejandro Vera	—	—	—	UAEM	Faculty (xlsx author)

Institutional Email	Purpose	Credential Status
[email protected]	Certificate system sender (Diseno)	Password recovered
[email protected]	Certificate system sender (FCQEI)	Password recovered
[email protected]	Registrar (email recipient)	Identity only

08

Git Repository Forensics

Pack Files

Total packs: 42 files (~1.8 GB)

Indexed packs: 23 (with .idx files)

Total git objects: ~82,739

Commits: 9,265 | Trees: 7,179

Blobs: 13,426 | Deltas: 52,869

Domain Attribution

Domain	Packs	Size	Status
uaem.mx	21+ indexed	~1.5 GB	Full extraction
mvs.com	16 loose objects	~13 MB	Full extraction
fiscalia.durango	1 pack (241 obj)	5.3 MB	Metadata only

Loose Git Objects (16 MVS files)

6 commit objects (PR merge history with author emails)

5 blob objects (CSS, JS, index.html — multiple versions)

3 tree objects (directory listings)

2 binary blobs (PNG images)

Reference Files

HEAD → refs/heads/master (UAEM)

FETCH_HEAD → bitbucket.org/mvsradio (MVS)

ORIG_HEAD → MVS last merge commit

master → Fiscalia deployment log

gitconfig → GGakko / [email protected]

09

Operational Timeline

2022-11-11

UAEM repository created

Rafael Fragoso (GGakko) — "first commit" at github.com/norgoth/uaem2023

2023-03-13

MVS repository created

Alfredo Gonzalez clones to production, Noe Olvera begins building landing page

2023-04-13

MVS last activity

5th and final pull request merged — CMR logo updates

2024-09-30

Fiscalia Durango deployed

git reset --hard origin/prod by root@webdurangonuevo — 5,028 WordPress files

2025-10-20

UAEM latest commit

Amy Malavar — "Atencion ticket 97838"

2026-01-29

Target list created

570 Mexican domains curated across 51 categories

2026-02-19

Target list expanded

Additional domains added (state prosecutors, municipalities, etc.)

2026-02-20

Scan executed & extraction performed

07:04–16:33 UTC — 570 domains scanned, 3 hits found, repositories dumped, reports compiled

10

Hypothetical Attack Surface Analysis

Worst-Case Kill Chain

01 MySQL login → Dump student PII database

Direct connection to www.uaem.mx:3306 with recovered credentials

02 Gmail login → Read institutional email, map internal contacts

Three Gmail SMTP passwords → full inbox access + phishing launchpad

03 Password spray → SSH or Laravel admin access

Credential patterns (UaeM2019*, 123456, Ventanill4FCQ31) tried across services

04 RevSlider CVE-2022-0441 → Webshell on www.uaem.mx

CVSS 9.8 auth bypass → arbitrary file upload

05 Root access (server already runs as root)

No privilege escalation needed — web server = root

06 Grab .env, .ssh/, .bash_history

Credentials for cedulas, titulos, payment systems + SSH keys for lateral movement

07 Access payment system → Financial fraud

html/pagos/ on same server, likely same DB instance

08 Modify electronic voting system

html/votoelectronico/ — university director elections

09 Inject malware into public pages → Mass compromise

Watering hole attack on thousands of daily student/faculty visitors

10 Pivot to Durango → 24 government agency compromise

SSRF to 10.1.4.194:8085 or credential reuse against shared WordPress multisite

11

Recommended Remediation (Priority Order)

#	Action	Target	Priority
1	Rotate ALL credentials immediately (MySQL, SMTP x2, OpenAI key, dashboard password, Laravel admin)	UAEM	Immediate
2	Block `/.git/` directory in Apache/Nginx config	All 3 targets	Immediate
3	Stop running web server as root — create dedicated user	UAEM + Fiscalia	Immediate
4	Remove `TestConexion.php` from production	UAEM	Immediate
5	Update or remove RevSlider plugin	UAEM + Fiscalia	Urgent
6	Move all credentials to `.env` files (not hardcoded in PHP)	UAEM	Urgent
7	Move OpenAI API key server-side (never expose in client JS)	UAEM	Urgent
8	Enable 2FA on all Google Workspace accounts	UAEM	Urgent
9	Separate critical systems — payments, voting, student records should not share a server	UAEM	Urgent
10	Disable `xmlrpc.php` and add WordPress security plugin (Wordfence/Sucuri)	Fiscalia	Urgent
11	Audit all 24 Durango government sites for shared vulnerabilities	Fiscalia	High
12	Remove `.bash_history` and `.ssh/` from web root	UAEM	High
13	Implement CI/CD pipeline — stop deploying via `git pull` as root	All 3 targets	High
14	Report to CERT-MX (`[email protected]`) for coordinated disclosure	All 3 targets	Recommended

12

Complete Vault Inventory

By File Type (2,546 files, 2.1 GB)

Type	Count	Type	Count
PNG	541	PHP	480
SVG	424	JS	201
CSS	193	JPG	173
PDF	99	PACK	42
MAP	36	SCSS	33
WEBP	29	DOCX	29
IDX	23	HTML	23
TXT	19	Fonts	64
Other	137	—	—

Key Reports in Vault

File	Contents
01-MVS-COM.md	Grupo MVS OSINT report
02-FISCALIA-DURANGO.md	Fiscalia Durango OSINT report
03-UAEM-MX.md	UAEM university OSINT report
04-CREDENTIALS.md	Master credential report with pivot strategies
huntr.db	SQLite scanner results (570 domains, 3 findings)
db-viewer.html	Custom SQLite viewer tool (by Ringmast4r & Tikket1)
mexican-websites.txt	570-domain target list (51 categories)