One of the most popular Dark Web hosting services – Daniel’s Hosting – was slaughtered last week when attackers hosed it clean of about 6,500 hidden services. The admin says they’re gone for good: he hasn’t even figured out where the vulnerability is yet.
The administrator at Daniel’s Hosting is a German software developer named Daniel Winzen, who acknowledged the attack on the hosting provider’s portal. Winzen said that it happened on Thursday night, a day after a PHP zero-day exploit was leaked.
The service will likely be back in December, he said, but even the “root” account has been deleted, and all the data on those 6,500 sites are toast:
There is no way to recover from this breach, all data is gone. I will re-enable the service once the vulnerability has been found, but right now I first need to find it.
Backups? Forget it. This is the Dark Web. Winzen told ZDNet that there ain’t no such thing as backups on Daniel’s Hosting, by design:
Unfortunately, all data is lost and per design, there are no backups.
As of last week, Winzen said his priority was to do a full analysis of the log files. He had determined that the attacker(s) had gained administrative database rights, but it’s looking like they didn’t get full system access. Some accounts and files that weren’t part of the hosting setup were left “untouched,” he said.
Other than the root account, no accounts unrelated to the hosting were touched and unrelated files in
/home/weren’t touched either. As of now there is no indication of further system access and I would classify this as a “database only” breach, with no direct access to the system. From the logs it is evident that both, adminer and phpmyadmin have been used to run queries on the database.
According to Dark Owl, when the attacker(s) took out Daniel’s Hosting, they erased over 30% of the operational and active hidden services across Tor and the Invisible Internet Project (I2P) – an anonymous network layer that allows for censorship-resistant, peer-to-peer communication. ZDNet’s Catalin Cimpanu tweeted on Monday night that this pretty much matched his own calculations.
The attacker(s) also deleted over six million documents that DarkOwl – a provider of darknet content and tools, as well as cybersecurity defenses – had archived on the Dark Net.
This is what the world lost when Daniel’s Hosting went belly-up, Dark Owl says:
- 657 of the hidden services had the title “Site Hosted by Daniel’s Hosting Service” and little else (but may have been used for something other than serving web content).
- Most (over 4900) were in English, 54 were in Russian and two of the oldest were in Portuguese.
- 457 of the hidden services contain content related to hacking and/or malware development.
- 304 have been classified as forums.
- 148 of them are chatrooms.
- 136 include drug-specific keywords.
- 109 contain counterfeit-related content.
- 54 specifically mention carding-specific information.
- Over 20 contain content including weapons and explosive-related keywords.
For better or worse, the takedown of Daniel’s Hosting means that a “pillar of the darknet community” that’s served up a chatroom and online-link list for years, free of charge, has been demolished, Dark Owl says.
For example, his online-link list is referenced by nearly 500 other hidden services, making it the second most commonly referred to directory listing (behind Fresh Onions) and providing a foundational starting point for new users navigating Tor.
Dark Owl has some theories about who could have been behind the attack. It could have been Russian hackers, who’ve recently outlined the technical details of exploiting PHP’s
imap_open() function to extract password hashes for privileged accounts, as an alternative to brute-force mining.
Then again, it could have been anybody who’s against easy posting and sharing of child abuse images. Dark Owl reports that Winzen, back in 2016, made life easier for people to share such images on Tor without potentially exposing their identities:
As a result, Daniel’s LE-Chat code became a popular platform for the darknet pedophilia community, and the home for many well-known Child Pornography sharing chatrooms such as Tabooless, Camp Fire, and Child Priori.
There are also theories about the portal being taken down by law enforcement. For one thing, a chatroom, Daniel’s Chat, quietly resurfaced on Saturday, but it lacked the member database and credentials that had enabled users to verify chat participants’ identities.
Or perhaps Daniel had been arrested, and it’s not even really him who’s posting on the site and sending email to news outlets? As it is, the providers’ hidden services experienced what Dark Owl said was “extreme” distributed denial of service (DDoS) attacks leading up to the attack, “similar to other law enforcement-led darknet seizure operations.”
Those are just some of the theories.
The attack shows how surprisingly centralised the Dark Web really is, and that there are no ironclad promises that its potent anonymity features will shield you.
Whether it’s law enforcement catching drug dealers with a fake Bitcoin exchange or simple misconfigurations that expose server IP addresses, you have to take heed: just because you’re using Tor doesn’t necessarily mean you’re safe, whether you’re a criminal or somebody seeking anonymity for noncriminal reasons.
There are many ways to get busted on the dark web.