Earlier today, a friend texted me asking what happened to Sulit.com.ph, the free classified ads site and forum. The site appears to have expired and has been put on sale at Sedo.
I did a quick whois query on the domain registration and some more background checks which led me to believe it was a malicious and successful attempt to take over the domain.
- The domain is still registered up to July 26, 2010 so this is not a case where the owner just forgot to renew a recently expired domain. Besides, an expired domain will show a generic dotPH landing page for about 30 days after expiration. It should not have pointed to Sedo.
- It wasn’t a case of poisoned DNS as well since the whois record showed the nameservers were changed from ns1.sulit.com.ph and ns2.sulit.com.ph to that of Sedo. Since nameservers were self-hosted, a poisoned DNS would still show a sulit.com.ph NS with a Sedo IP address. This doesn’t seem to be the case.
- A cracked/hacked dotPH Domain Manager account by the owner of Sulit.com.ph is the most probable cause. The malicious individual could have gained access to the dotPH account, changed the password and re-pointed the domain to Sedo.
Sedo has nothing to do with this. They are just a domain parking and marketplace service. People use Sedo to generate revenue from traffic of unused domains or as a marketplace to sell some high-profile domains.
How the intrusion was done is still unknown but it could have been one of several ways.
- A brute force attack on the password. It could also have been guessed by the intruder after numerous attempts. It depends how strong the password is.
- A bug in the Forgot Password system of dotPH. The login email is readily available/searchable and all that is needed is to correctly answer the Password Question.
- Social Engineering. The individual, to gain access, might have submitted a formal request for change of Primary Email by forging the request form. A notarized form and signature can be forged and the individual might have pretended that he’s the owner of Sulit.
I believe dotPH is also doing their own investigation of the incident. They’ll be the only one that can clarify how it all happened. There’s a similar case last week that happened to MakeUseof.com.
You have composed an extremely good article!
find out the person..
Well, the post is actually the freshest on this laudable topic. I concur with your conclusions and will thirstily look forward to your future updates.
Damn those hackers!
Here’s an update: http://dotph.domains.ph/hacking-dotph
APPLY NOW SMART PLAN 300 AND 500 TO APLLY TEXT @ 090857***** LOOK FOR REYMAR / WITH FREE PHONE..
Goodluck to sulit.com.ph in the marketplace. It is a good service and hopefully they should expand to other countries.
thanks for fixing up. I’m scared because I have an account there.
good thing that the sulit owners have fixed it. geez, the main culprit if identified, should be sued and/or punished as this kind of issue is a delicate manner. :(
sulit owners must also take good care of the security since from the looks of it, there seems to be some sort of attack to their website.
geez this sucks. if this was indeed done by purposefully “hacking” the domain, then the one concerned should be treated very seriously.
but i’m glad sulit.com.ph is now back online. :)
-Alex
mp3-codes.com
musicdumper.com
ourmanga.com
dotPH has pretty good domain security like requiring notarized forms for transfering domain ownership. But it seems the hack was an exploit in their system allowing someone else to gain access to other domains and change the nameservers, dotPH should review their security. A neat feature would be to send an email when any change is made to any domain owned.
Sorry, let me correct the last sentence. I mean “before you can transfer your domain to other registrar” not “webhost”.
That was scary. It pays to check your account on your web hosting more often and change your password to a stronger one. I’m kind a lazy changing password but I think changing it every two or three months will prevent hackers from stealing your domain.
On where I hosted my sites, there are nice features like locking your domain name and having a domain secret code(similar to a password) before you can transfer your domain to other web host.
I did contact Sedo earlier yesterday and they immediately informed me that there was no particular account related to the incident. The representative from domains.ph told me that they would also try to contact Sedo regarding this.
As of now, the domain has not yet propagated 100% since I am still receiving e-mails from members who cannot access the website (the new canned response feature of GMail proves to be very helpful in this case). But the traffic is already higher than a regular Saturday most probably because those who should have accessed Yesterday can only access today.
Still no official announcement coming from domains.ph (weekends).
@ Sir Bob
Please click Help Center at the menu. The Help Center does not require registration for anyone to submit a support ticket. Please include all the necessary links to your website and links of the ads in question or advertisement IDs.
We regularly deal and remove infringing ads from our system when reported to us and when we have enough evidence that it is indeed an infringement.
Just a week ago or so, I found that Sulit.com.ph had a whole bunch of content from my websites copied on their site, both images and even full articles that I had written. No permission was given, or even asked for. I went to their site and found that I could not even contact them or make an inquiry unless I registered as a user, which I had no interest in.
The owners of Sulit.com.ph should take enough responsibility to protect others on the net from piracy.
Congratulations on getting it back up, RJ. Grab those opportunities! :)
I thought, I lost my account at sulit.com.the only site that appear is always Sedo.com yesterday.Its a good news that sulit.com are back and we can still use free and popular site like this.
Losing a website in a blink of an eye is a very big loss to the owner of that said website. I am currently backing up my accounts to prevent a total loss.
When I read the first part of the article I immediately thought about what happened to MakeUseOf.com, didn’t know you’d also mention it at the bottom of the post.
Anyways, this is a good reminder to all blog/domain owners to be vigilant and make sure that you keep your passwords strong and safe.
Good thing Sulit.com.ph is back online and to its rightful owner.
Wow, great analytic article. It considered several possibilities. And you were right on the domain hacking, as discovered later by Sulit admin.
The culprit is Bayantel subscriber, so it could not be me. I use Globelines. :D
want to find out who it is, find out who added it to their sedo account
they know who added it.
@RJ – let us know of any new developments.
@Patrick – it’s not resolving from my end so I didn’t want to send any more traffic and link to the Sedo page.
My previous comment got caught by Akismet because I linked to the website in question?
But anyway.. the site works fine to me now.
A link to the said site in the article would have been nice. Interesting analysis though. :)
Works fine to me now.
http://www.sulit.com.ph/
A link to the said site in the article would have been nice. Interesting analysis though. :)
Here is our official announcement that is being updated as we get additional information:
http://www.sulit.com.ph/forum/viewtopic.php?t=41415
For those being redirected to sedo, please use this:
http://67.228.219.34/forum/viewtopic.php?t=41415
@Sir Mike
There are too much opportunities in the online bargains market (or classifieds in general) just to give up.
@Sir Abe
Thanks for the great analysis of the different possibilities. I hope domains.ph will be able to clear this issue. I’ll be surprised if they can do it before Monday next week.
Maybe the owner just gave up on the Philippine online bargains market.
All things considered, I wouldn’t blame him.