Been receiving emails from readers and fellow bloggers about the alleged hacking of 3 government agency websites, namely the DOJ, PNP-CIDG and ITECC. Investigations were being done by PLDT (or Infocom, the webhost), the DOJ and the management of Enchanted Kingdom. What would have seemed like a hack was actually a server glitch.
If you dig deeper into the incident, you will notice that all of the four (4) websites involve are located on a similar IP address (i.e. 202.57.124.135). That’s one sure indication that all of the websites involved are hosted on the same server.
Here’s the weird thing when I first heard/read about it. If it were a hacking attempt, there wasn’t any logic behind it. No visible trace or indication that a hack was made or a script was maliciously injected into the website. They just basically opened up to the official Enchanted Kingdom website. It would seem that the webmaster or someone who have access to the FTP uploaded the Enchanted Kingdom webpages into the other 3 domain accounts.
If the web host (Infocom) was running these websites on a *nix server, it is possible that this was caused by a glitch in the DNS (Bind) or webserver (Apache) configs. Ordinarily, you can only host one website per IP address. However, this is now possible because of Virtual Hosting.
Virtual hosting is a method that is used to host more than one domain name on the same computer, sometimes on the same IP address. This allows you to virtually host as many domain accounts on a single server or single IP. This is done via name-based or IP-based. In this case, since all websites are on a single IP, they used a named-based system.
Wikipedia explains it in more detail:
Name based virtual hosts use multiple host names for the same webserver IP address. With web browsers that support HTTP/1.1 (as nearly all now do), upon connecting to a webserver, the browsers send the address that the user typed into their browser’s address bar (the URL). The server can use this information to determine which web site, as well as page, to show the user. The browser specifies the address by setting the Host HTTP header with the host specified by the user. The Host header is required in all HTTP/1.1 requests.
For instance, a server could be receiving requests for two domains, www.site1.com and www.site2.com, both of which resolve to the same IP address. For www.site1.com, the server would send the HTML file file from the directory /www/JoeUser/site/, while requests for www.site2.com would make the server serve pages from /www/AnthonyUser/site/.
If the Domain Name System (DNS) is not properly functioning, it becomes much harder to access a virtually-hosted website. Ordinarily, in this case, the user could try and fall back to using the IP address to contact the system, as in http://12.34.56.78/. However, the web browser doesn’t know what hostname to send when this happens, so the server will respond with a default website—often not the site the user expects. This workaround is not really useful for an average web user, but may be of some use to a site administrator while fixing DNS records.
Usually this information is stored in the server as httpd.conf. In essence, in misconfiguration might have happened or the httpd file must ahve been corrupted that resulted in the incident above. This usually happens when the files are updated with newer information and was not saved properly, got truncated in the process or the config file had some typos in them.
When this happens, it is usually the first website listed in the configs will appear for all other domains you typed in your browser. As a webhost, we’ve encountered this type of errors/glitches on several occasions in the past. Sometimes, it’s a cPanel bug, a DNS error (Bind) or simply an incorrectly saved webserver config.
YugaTech.com is the largest and longest-running technology site in the Philippines. Originally established in October 2002, the site was transformed into a full-fledged technology platform in 2005.
How to transfer, withdraw money from PayPal to GCash
Prices of Starlink satellite in the Philippines
Install Google GBox to Huawei smartphones
Pag-IBIG MP2 online application
How to check PhilHealth contributions online
How to find your SIM card serial number
Globe, PLDT, Converge, Sky: Unli fiber internet plans compared
10 biggest games in the Google Play Store
LTO periodic medical exam for 10-year licenses
Netflix codes to unlock hidden TV shows, movies
Apple, Asus, Cherry Mobile, Huawei, LG, Nokia, Oppo, Samsung, Sony, Vivo, Xiaomi, Lenovo, Infinix Mobile, Pocophone, Honor, iPhone, OnePlus, Tecno, Realme, HTC, Gionee, Kata, IQ00, Redmi, Razer, CloudFone, Motorola, Panasonic, TCL, Wiko
Best Android smartphones between PHP 20,000 - 25,000
Smartphones under PHP 10,000 in the Philippines
Smartphones under PHP 12K Philippines
Best smartphones for kids under PHP 7,000
Smartphones under PHP 15,000 in the Philippines
Best Android smartphones between PHP 15,000 - 20,000
Smartphones under PHP 20,000 in the Philippines
Most affordable 5G phones in the Philippines under PHP 20K
5G smartphones in the Philippines under PHP 16K
Smartphone pricelist Philippines 2024
Smartphone pricelist Philippines 2023
Smartphone pricelist Philippines 2022
Smartphone pricelist Philippines 2021
Smartphone pricelist Philippines 2020
asphalt 8 airborne says:
In addition to the versatile SPS10, SMITH directly manufactures other size scarifiers designed for every budget and surface preparation or line erasing job from handheld,
walk behind, self propel and ride-ons. Sole treadmills have some of the largest rollers available on home treadmills.
When you can find signifies left people can often be removed as a result of
power-washing.
GK PH, Inc says:
Become a Certified Ethical Hacker in 5 Days! Enroll at GlobalKnowledge Ph Inc. Guaranteed Learning. Call 721-4380 or 0907-1735750 / 0915-4881187. Look for Chat or Juliet. visit http://www.gkphilippines.com for details. Office Address: G/F Beacon Plaza, 668 Shaw Blvd. Mandaluyong City, Philippines.
_GeeZCheeZC0de_ says:
Bakit ang mga pinoy madaling maniwala sa mga sinasabi ng gobyerno, oo nga sila ang namumuno pero di ibig sabihin lahat ay totoo.
Sabi nila “walang ebidensya” pero ndi ibig sabihin hindi ito nahack. “maaring nahack ito ngunit binura ang mga pwedeng gamitin na ebidensiya, at nagiwan lamang ng redirection commands habang may ginagawa siyang milagro.
Ang mga batikan na hacker minsan di mu alam na sila’y nakapasok sa system mo.
Pati nga ang http://www.stlukes.com.ph eh nahack lately.
________kelangan ng better admins sa mga goverment sites, not just some admins na laging feeling secure, dapat ung mga paranoid magsecure kasi sensitive data ang mga pinapangalagaan_________
ang pinakamahirap na ipatch ay human stupidity hindi and sytem vulnerabilities
geeksociety says:
Nope. It’s not a hacking activity. Maybe a little “script kid” did it. It could also be intentional. I don’t know the exact reason, but definitely it caught the attention of media.
anonymous says:
i think its an xxs attack, the site was redirected to enchanted kingdom..
e.r.r.o.r says:
its simply SOCIAL ENGINEERING.if u bite d bait ,ull evacuate.wahahahaha
white hat hackerz rules
jampfong says:
hi,could you help me about my investigative proj?
i nid more comments and could you tel me what really happend?is it really hacked or its just a glitch?what does glitch means?tnx
gk PH, Inc says:
Become a Certified Ethical Hacker in 5 Days! Enroll at GlobalKnowledge Ph Inc. Guaranteed Learning. Call 721-4380 or 0907-1735750 / 0915-4881187. Look for Chat or Juliet. visit http://www.gkphilippines.com for details. Office Address: G/F Beacon Plaza, 668 Shaw Blvd. Mandaluyong City, Philippines.
dwek says:
there is a possibilty that they are just covering it up :D
Sheena says:
Lufhet, Pinoy talaga.
Ed says:
A redirect is good as a defacement. Nobody here actually knew what happened.
ChrisMo says:
…Just a freakin glitch, if it was hacked, you’ll never see it redirect, it will either be a defacement or insertions…
And if I were to hack it, I’d rather have accounts copies and insert misleading info occasionally, that would have a bigger impact…imho
ChrisMo says:
Just a freakin glitch, if it was hacked, you’ll never see it redirect, it will either be a defacement or insertions…
And if I were to hack it, I’d rather have accounts copies and insert misleading info occasionally, that would have a bigger impact…
blackhat says:
i guess he use blackhat techniques.Simple mysql injection can hack a website.
Junelle says:
haaay naku kakahiya talaga sila … sana i hack na lang nga ng totoo! kung marunong lang ako … sira lahat ng sites nila :))
Ian says:
They don’t run Apache on a *nix server:
$ curl -I http://www.itecc.gov.ph
HTTP/1.1 200 OK
Content-Length: 10745
Content-Type: text/html
Content-Location: http://www.itecc.gov.ph/Index.html
Last-Modified: Fri, 27 Jul 2007 17:13:39 GMT
Accept-Ranges: bytes
ETag: “7e8ef7971d0c71:72c1”
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 05 Jan 2008 08:57:15 GMT
for example.
It *may* be a misconfigured IIS, though, but still:
http://www.google.com.ph/search?q=enchanted+kingdom
Note that the first result (at least in my search results) is http://www.nbi.doj.gov.ph. Interesting…
Peejay says:
Hindi kaya sinadya talaga ng NBI na i-hack-daw ang site ng doj para mabilis na maipasa ang mas matibay na INTERNET LAW??? tingin ko lang naman…
BrianB says:
I am simply proud that the first hacker to ever be persecuted and put in jail is from my home town and graduated from my high school. Hacked into government sites and I’m damn proud of him, though he’s probably being tattooed right now deep in his privates, if you know what I mean.
anakng ofw says:
You have the same opinion with technews-ihaw.blogspot.com this group was formerly from ISAW.
CallCenterVet says:
Sensationalist reporting mofos! That’s what our Philippine T.V. reporting media has come down to.
otoymreyes says:
i knew it! the meda is way too excited to report this :)
Arnel Reodica says:
ooopppssss i mean “VirtualHost directive”….. sorry I enclosed the worl VirtualHost in “” characters….
Arnel Reodica says:
I think, if the hosting provider is using apache, it is an error in directive…. hmmmm……. Indeed no hacking happened….
:D
Dark Knight says:
hehe. thanks for the info!
jay says:
when i saw this on the news last night, i already had a doubt. what was said is that the page will be redirected to enchanted-kingdom’s site after login. there were guys from cidg and nbi, claiming that noypi hackers are on the attack again. why in the world they are saying that? they didn’t even provide logs or something that will prove it.
Noemi Dado says:
I’ve seen it happen in my servers around once or twice. The hacking didn’t make sense to me too. Usually hackers leave a small note.
the jester-in-exile says:
i knew it. haha.