Re: Budgettravel.mu "root" directory

From: Ish Sookun <ish_at_hacklog.in>
Date: Thu, 9 Apr 2015 13:42:09 +0400

Hello Kunal,

At this rate, more of the data will be plundered before any investigation
is over. If your IT Security team could have a look at the following, maybe
it'll help to accelerate:

- http://www.budgettravel.mu/photos/k2/root/salim/listofcmdscpanel3Final.txt
- http://www.budgettravel.mu/photos/k2/root/salim/users
- http://www.budgettravel.mu/photos/k2/root/salim/users/dbmweb

By the way, I won't be available for a phone conversation during the day.
If your team requires any additional information, they can email me. I
shall reply accordingly.

I am also copying the email to CERT-MU as it seems they didn't receive the
initial one.

Regards,

On Thu, Apr 9, 2015 at 12:40 PM, Businesscontact <
businesscontact_at_mauritiustelecom.com> wrote:

> Dear Sir/madam,
>
> Grateful to provide your contact number where our technical team will
> contact you for further investigation.
>
> Kind Regards
>
> Kunal
> ________________________________________
> From: S Moonesamy [sm+mu_at_elandsys.com]
> Sent: Wednesday, April 08, 2015 6:59 PM
> To: Businesscontact; mauritius-internet-users_at_lists.elandnews.com
> Cc: Ish Sookun; Irshaad Abdool
> Subject: RE: Budgettravel.mu "root" directory
>
> Hi Kunal,
> At 02:50 08-04-2015, Businesscontact wrote:
> >Grateful to provide the specifics of the security so as we can proceed.
>
> I would like to thank Orange Mauritius for responding to the email
> about a security issue. Ish Sookun replied to your message and
> provided some details about the security issue.
>
> The www.budgettravel.mu web site was either compromised or
> incorrectly configured several months ago. Some information which is
> usually kept private for security or privacy reasons, e.g. private
> SSL key, passwords, personal information, etc., was accessible to the
> public.
>
> Some of the personal information looks like data held by
> www.radioplus.mu The attacker probably took control over the system
> running on cpanel3.intnet.mu (202.123.27.136). One of the web sites
> hosted on cpanel3.intnet.mu was used for phishing
> secure.bnpparibas.net in February. There were phishing reports of
> attacks from web sites hosted on cpanel3.intnet.mu in December 2014.
>
> Irshaad Abdool and Ish Sookun both noticed that the file at
>
> http://www.budgettravel.mu/photos/k2/root/venen_radioplusvenen_radioplus20apr2011.sql
> is publicly accessible. Although it has been reported that the file
> contains personal information, it is still publicly accessible.
>
> Regards,
> S. Moonesamy

-- 
​Ish Sookun
- Geek by birth, Linux by choice.
- I blog at HACKLOG.in.
https://twitter.com/IshSookun ^^ Do you tweet?

Received on Thu Apr 09 2015 - 09:42:29 PST