HIGH · epc

Engineers India Limited

Indexed directory listing exposes CPP-Angul-Smelter project files; Apache 2.4.29 EOL; no SPF/DMARC

engineersindia.combaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 40

Availability

HTTP 200

TLS

2026-10-23 · 132d

Headers

2 missing · 0 permissive

Email auth

SPF missing · DMARC absent

38

Security score

Elevated

Headline findings

  • 01Public directory listing on /wp-content/uploads/cache/2019/01/CPP-ANGUL-SMELTER_full/ — Google-indexed, project documents exposed
  • 02Apache 2.4.29 EOL (current is 2.4.64)
  • 03No SPF, no DMARC — both entirely absent
  • 04Missing CSP

Urgent · time-bound actions

  • 3dDisable directory indexing on /wp-content/uploads/immediately
  • 7dSubmit Google de-index request for the exposed CPP-Angul-Smelter folderthis week

TLS security

pass

Issuer
DigiCert Inc
Expires
2026-10-23(132d)

Email authentication

SPF
missing
DKIM
missing
DMARC
absent

Hardening headers

4 / 0 / 2present/permissive/missing

  • HSTSpresent
  • CSPmissing
  • X-Framepresent
  • X-Content-Typepresent
  • Referrer-Policypresent
  • Permissions-Policymissing

Lookalike domains

  • engineersindia.net198.49.23.145 (third-party)
  • engineers-india.com72.1.241.142 (third-party)
  • engineersindia.in104.21.3.133 (Cloudflare, third-party)

Public topology · CT logs

1 total · 1 sensitive

engineersindia.com
Document mgmt
  • /wp-content/uploads/cache/2019/01/CPP-ANGUL-SMELTER_full/

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

Can EIL implement SPF/DMARC and CSP headers, and submit a Google de-index request, before the next spear-phishing campaign uses cached project filenames as lures?

Active fingerprints · per host

  • engineersindia.comEOL × 4

    ASP.NET Core (HTTP/2)

    • CSP MISSING (CRITICAL)
    • SPF and DMARC entirely absent — open spoofing surface
    • Apache 2.4.29 EOL on legacy edge (if still in stack)
    • Directory listing /wp-content/uploads/cache/2019/01/CPP-ANGUL-SMELTER_full/ Google-indexed

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

#1

Path A: Email spoofing via missing SPF/DMARC

effort hours
detect low (bad)
Entry
No SPF, no DMARC. Spoofed @engineersindia.com with no policy enforcement.
Pivot
Executive clicks phishing link → credentials harvested.
Objective
Initial compromise; lateral move via trust.
#2

Path B: Typosquat + spoofed domain

effort hours
detect low (bad)
Entry
Register eil-engineering-india.com or similar.
Pivot
Send spoofed mail; SPF absence = pass; high-trust exploitation.
Objective
Credential harvest; partner-network compromise.
#2

Path C: Cached document lure

effort days
detect medium
Entry
Google Cache may still show CPP-Angul-Smelter PDF filenames despite directory now redirecting.
Pivot
Craft identical-looking memo (Design Review Q1 2026); email technical staff; RAT deployment on click.
Objective
Supply-chain intelligence + credential theft.
#2

Path D: Apache 2.4.29 unpatched CVEs (if still serving)

effort days
detect medium
Entry
If Apache 2.4.29 remains on the stack, CVE-2024-47252 / CVE-2024-43204 / CVE-2024-42516 apply.
Pivot
TLS 1.3 access bypass; mod_rewrite SSRF; mod_proxy SSRF.
Objective
Server-side data access; internal pivot.

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · Email spoofing via missing SPF/DMARC
factor ~3–5×
pre-AI
Missing SPF/DMARC + cached governance doc filenames → credential compromise + supply-chain intel exfil
Mythos
AI-augmented attacker auto-correlates cached filenames with current project cycles and crafts indistinguishable lures
Path C · Cached document lure
factor ~5–7×
pre-AI
Manual lure crafting from cached document index
Mythos
Cached document index becomes a phishing-template generator

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

  • critical

    Implement SPF record (hard -all)

    Host
    engineersindia.com
    Fix
    Publish: v=spf1 include:_spf.<actual mail provider> -all. Audit mail provider; align before enforcement.
    Owner
    IT / Email Security
    Validation
    dig +short TXT engineersindia.com | grep v=spf1
  • critical

    Implement DMARC p=quarantine → p=reject after 30 days

    Host
    engineersindia.com
    Fix
    Publish DMARC with rua=. Monitor 30 days; promote to p=reject.
    Owner
    IT / Email Security
    Validation
    dig +short TXT _dmarc.engineersindia.com returns DMARC1
  • critical

    Add CSP header (currently missing)

    Host
    engineersindia.com
    Fix
    default-src 'self'; script-src 'self' 'nonce-{random}'; object-src 'none'; upgrade-insecure-requests.
    Owner
    Frontend / Security
    Validation
    curl -i shows Content-Security-Policy header
  • critical

    Disable directory indexing on /wp-content/uploads/

    Host
    engineersindia.com
    Fix
    .htaccess: Options -Indexes. Verify all subdirectories.
    Owner
    Web Ops
    Validation
    curl /wp-content/uploads/ returns 403

Tier 2 · within 30 days

  • high

    Submit Google Search Console de-index request for cached cache/* paths

    Host
    engineersindia.com
    Fix
    GSC → Removals → submit /wp-content/uploads/cache/*. Add robots.txt block to prevent re-index.
    Owner
    Web Ops / SEO
    Validation
    site:engineersindia.com/wp-content/uploads/cache returns 0 results within 30 days
  • high

    Audit and upgrade WordPress / plugins / Apache

    Host
    engineersindia.com
    CVE
    CVE-2024-47252 (Apache 2.4.x)
    Fix
    wp-cli: wp plugin list --update=available. Apply updates. Apache to 2.4.62+ if 2.4.29 still present. Test in staging.
    Owner
    Web Ops
    Validation
    Apache 2.4.62+ in headers; wp plugin status all-current
  • high

    Deploy WAF — block directory traversal, SQLi, WP exploit patterns

    Host
    engineersindia.com
    Fix
    Cloudflare or ModSecurity OWASP CRS.
    Owner
    Security / WAF
    Validation
    ../../../etc/passwd payload returns 403
  • high

    Implement DKIM signing for outbound mail

    Host
    engineersindia.com
    Fix
    Mail server config: enable DKIM signing. Publish public key in DNS.
    Owner
    Email Security
    Validation
    Test email shows DKIM-Signature: pass in headers

Methodology is reproducible by any visitor with curl, dig, and openssl. Phase 1 (passive) findings are unconditional; Phase 2 (active) findings require per-entity ethical-hacking authorisation.

Sibling: Sanjaya — fuel pricing transparency on the same Ministry portfolio. Sanjaya narrates; Sanket warns.