Domain: property.com.fj 

Investigator: (Cybersecurity Analyst, Lead Fiji) 

Date: Sunday, 21 September 2025 

Location: Central Division, Fiji

Investigation Context

This investigation was initiated following a Fiji Sun article alleging that property.com.fj was used to promote the sale of illicit drugs. The site reportedly featured listings with keywords such as “MDMA,” “Crystal Meth,” and “Cocaine,” and was linked to the email olon958@gmail.com, which responded to inquiries with drug offers.

Authorities involved:

• Real Estate Agents Licensing Board (REALB)
• Fiji Police
• Online Safety Commission

REALB confirmed the site is not a licensed real estate agency in Fiji.

Domain Resolution & Hosting

DNS Records

• property.com.fj → 149.28.168.191 (Vultr)
• www.property.com.fj → 104.21.15.73, 172.67.161.237 (Cloudflare)

Name Servers

• aria.ns.cloudflare.com
• nile.ns.cloudflare.com

Mail Servers (MX)

• smtp.google.com (Google Workspace)

Zone Transfer Attempts

• AXFR blocked on both NS servers (expected behavior)

Subdomain Brute Force

• Discovered: www.property.com.fj (Cloudflare-protected)

Class C Netranges

• 104.21.15.0/24 (Cloudflare)
• 149.28.168.0/24 (Vultr)
• 172.67.161.0/24 (Cloudflare)

Nmap Scanning Results

property.com.fj (149.28.168.191)

• Open Ports: 22 (SSH), 80 (HTTP), 443 (HTTPS)
• Web Server: nginx 1.14.0 (Ubuntu)
• SSL Certificate:
  • CN: property.com.fj
  • SAN: property.com.fj, www.property.com.fj
  • Valid: Sept 7 – Dec 6, 2025

www.property.com.fj (Cloudflare)

• Open Ports: 80, 443, 8080, 8443
• Multiple IPs: Indicates CDN distribution

Aggressive Scan (-A -Pn)

• OS: Linux (Ubuntu)
• SSH: OpenSSH 7.6p1
• HTTP: Redirects to HTTPS
• HTTPS: Misconfigured (400 error on plain HTTP to HTTPS port)

Netblock Recon (149.28.168.0/24)

Active Hosts with Web Services

IP Address

Hostname

Ports

Notes

149.28.168.2

vultrusercontent.com

80/443

Generic Vultr host

149.28.168.6

dodesign.tempurl.host

80/443

WordPress staging (WPMU DEV)

149.28.168.15

mail.nextdistribution.com.au

80/443

Australian mail server

149.28.168.8–18

vultrusercontent.com

80/443

Multiple active web servers

SSL Certificate on 149.28.168.6

• CN: *.wpmudev.host
• Issuer: DigiCert → RapidSSL
• Valid: June 5, 2025 – June 4, 2026
• TLS: v1.3, AES-256-GCM-SHA384
• Indicates shared WordPress hosting (multi-tenant)

Ownership Investigation

WHOIS Lookup

• Registrar: Cloudflare Inc. (US-based)
• Creation Date: Feb 25, 2015
• Last Updated: Sept 4, 2024
• Registrant Info: Redacted (Cloudflare privacy proxy)

How to Find the Owner

• Check historical WHOIS via DomainTools or SecurityTrails
• Inspect SSL certificates via crt.sh for email/org fields
• Correlate hosting metadata via Shodan or Censys
• File formal request with Cloudflare or Vultr via law enforcement

Forensic Toolkit Summary

Tools Used

• nmap, dnsenum, nslookup, openssl, curl, whois
• Manual inspection of SSL certs and headers
• Passive recon via public intelligence platforms

Logging & Integrity

• All scans timestamped
• Output files hashed with SHA256
• Logs stored in structured folders

Conclusion

The domain property.com.fj is hosted on Vultr and proxied via Cloudflare. It shares infrastructure with other active web servers, including WordPress staging environments. Its SSL cert is valid and recent, but WHOIS data is masked. The site is under investigation for promoting illicit drug sales, and forensic evidence supports the presence of suspicious content and infrastructure.

To identify the owner, further steps include historical WHOIS lookup, certificate correlation, and formal legal requests to hosting providers.

The link is below from Fiji Sun

https://fijisun.com.fj/news/nation/authorities-investigate-fiji-website-for-promoting-sale-of-illicit-drugs.