Missing ISAW and DOJ Hacking Case

If technews-isaw were around, the recent ‘incident’ that involved the so called ‘hacking’ of the DOJ (Dept of Justice), Enchanted Kingdom and ITECC among others would have a venue for discussions among security professionals. Alas, with the non-operation of the ISAW site, i have no where else to start a discussion. So I am left with publishing it on my blog.

Based on the published reports that DOJ hacked in Inquirer.net by respected author Erwin Oliva, here is my take on the matter:

1. All the sites belonged to the same IP address.
2. All the sites had the same OS (Windows 2003)
3. All the sites were running IIS 6.0

Before and after checks of the DNS (domain name resolutions) shows that they still resolve to the same shared IP address. One possible conclusion is that they are using the same shared host. So the fact that all the other sites were re-routed to enchantedkingdom.com.ph could point to a “host header” problem.

A host header is a piece of entry in the IIS6.0 web properties that sys ads have to put in each hosted domain to enable the IIS 6.0 to distinguish each unique domain that are hosted on the same machine. So in the case at hand, DOJ would have a host header of ‘www.doj.gov.ph” using and port 80 (web service), while Enchanted Kingdom would have a host header of ‘www.enchantedkingdom.com.ph” using the same IP address of and same port 80.

A visitor to enchanted kingdom would issue a ‘get’ request containing the host header ‘www.enchantedkingdom.com.ph’. Once IIS6.0 gets this request, it will serve the pages from enchantedkingdom domain. The same is true for DOJ domain. The ‘get’ request would contain ‘www.doj.gov.ph’ and the pages from the DOJ website will be served instead of the ones from enchanted kingdom.

But when all the domains do not have their host headers set, the first web domain on the IIS6.0 will be the one served. IN this case, I suspect enchantedkingdom is on the top of the web domains list.

The next question that begs to be answered is this: if the sites were working before, how could the settings changed?
More likely the configuration was changed because of some sort of backup/restore procedure. The domains were re-created. BUT the sys ad simply forgot to configure different host headers for the various domains. But that is my personal conjecture.

Hence, when visitors went to the DOJ site, they saw the enchanted kingdom site!