No Hacking Involved in DOJ and Enchanted Kingdom Websites

Been receiving emails from readers and fellow bloggers about the alleged hacking of 3 government agency websites, namely the DOJ, PNP-CIDG and ITECC. Investigations were being done by PLDT (or Infocom, the webhost), the DOJ and the management of Enchanted Kingdom. What would have seemed like a hack was actually a server glitch.

If you dig deeper into the incident, you will notice that all of the four (4) websites involve are located on a similar IP address (i.e. 202.57.124.135). That’s one sure indication that all of the websites involved are hosted on the same server.

Here’s the weird thing when I first heard/read about it. If it were a hacking attempt, there wasn’t any logic behind it. No visible trace or indication that a hack was made or a script was maliciously injected into the website. They just basically opened up to the official Enchanted Kingdom website. It would seem that the webmaster or someone who have access to the FTP uploaded the Enchanted Kingdom webpages into the other 3 domain accounts.

If the web host (Infocom) was running these websites on a *nix server, it is possible that this was caused by a glitch in the DNS (Bind) or webserver (Apache) configs. Ordinarily, you can only host one website per IP address. However, this is now possible because of Virtual Hosting.

Virtual hosting is a method that is used to host more than one domain name on the same computer, sometimes on the same IP address. This allows you to virtually host as many domain accounts on a single server or single IP. This is done via name-based or IP-based. In this case, since all websites are on a single IP, they used a named-based system.

Wikipedia explains it in more detail:

Name based virtual hosts use multiple host names for the same webserver IP address. With web browsers that support HTTP/1.1 (as nearly all now do), upon connecting to a webserver, the browsers send the address that the user typed into their browser’s address bar (the URL). The server can use this information to determine which web site, as well as page, to show the user. The browser specifies the address by setting the Host HTTP header with the host specified by the user. The Host header is required in all HTTP/1.1 requests.

For instance, a server could be receiving requests for two domains, www.site1.com and www.site2.com, both of which resolve to the same IP address. For www.site1.com, the server would send the HTML file file from the directory /www/JoeUser/site/, while requests for www.site2.com would make the server serve pages from /www/AnthonyUser/site/.

If the Domain Name System (DNS) is not properly functioning, it becomes much harder to access a virtually-hosted website. Ordinarily, in this case, the user could try and fall back to using the IP address to contact the system, as in http://12.34.56.78/. However, the web browser doesn’t know what hostname to send when this happens, so the server will respond with a default website—often not the site the user expects. This workaround is not really useful for an average web user, but may be of some use to a site administrator while fixing DNS records.

Usually this information is stored in the server as httpd.conf. In essence, in misconfiguration might have happened or the httpd file must ahve been corrupted that resulted in the incident above. This usually happens when the files are updated with newer information and was not saved properly, got truncated in the process or the config file had some typos in them.

When this happens, it is usually the first website listed in the configs will appear for all other domains you typed in your browser. As a webhost, we’ve encountered this type of errors/glitches on several occasions in the past. Sometimes, it’s a cPanel bug, a DNS error (Bind) or simply an incorrectly saved webserver config.