Anonymous hacked Freedom Hosting II, a fifth of the Dark Web is down

The group of hacktivists Anonymous hacked the popular Freedom Hosting II Dark Web hosting provider, a fifth of the .onion websites is down.

The collective Anonymous is back, this time the hacker groups breached Freedom Hosting II, a popular Dark Web hosting provider.

After the closure of the original Freedom Hosting, Freedom Hosting II (FHII) become one of the largest onion web hosting providers, it is offering free space to any user who signs up for an account.

Anonymous targeted the popular Tor hosting provider because it was providing its services to a large number of websites sharing child pornography image.

The cyber attack was first spotted by Sarah Jamie Lewis, a privacy researcher at mascherari.press, who noticed the mass defacement during a regular scan of the Tor network.

Since OnionScan started in April, Sarah Jamie Lewis and her team have observed FHII hosting between 1500 and 2000 services or about 15-20% of the total number of active sites in our scanning lists (data related to the last report published in October).

Back to the present, 10,613 .onion sites have taken down as a result of the Freedom Hosting II hack, all sites have been defaced with the following image. As you can see, the Anonymous message also includes a list of hacked websites.

Source Bleepingcomputer.com

Below the message published by Anonymous

“Hello Freedom Hosting II, you have been hacked

We are disappointed… This is an excerpt from your front page ‘We have a zero tolerance policy to child pornography.’ – but what we found while searching through your server is more than 50% child porn…

Moreover you host many scam sites, some of which are evidently run by yourself to cover hosting expenses.

All your files have been copied and your database has been dumped. (74GB of files and 2.3GB of database)

Up to January 31st you were hosting 10613 sites. Private keys are included in the dump. Show full list

We are Anonymous. We do not forgive. We do not forget. You should have expected us.

Thanks for your patience, you don’t have to buy data 😉 we made a torrent of the database dump download here

Here another torrernt with all system files (excluding user data) download

You may still donate BTC to 14iCDyeCSp12AmhVfJGxtrzXDabFop4QtU and support us.

If you need to get in contact with us, our mail is fhosting@sigaint.org

We repeatedly get asked how we got into the system. It was surprisingly easy. Here is how we did it: HOW TO HACK FH2“

According to The Verge, Anonymous attempted to offer for sale the compromised data back to Freedom Hosting II in exchange for 0.1 bitcoin (roughly $100).

Further analysis revealed that the attackers received at least two payments in their Bitcoin wallet, but they opted to publicly leak the data dump via torrent files.

Watch out, the 2.3 GB dump may contain disturbing images, don’t download the archive if you don’t need it. Anonymous claims to have downloaded 74GB of files.

Joseph cox from Motherboard interviewed one of the Anonymous hackers involved in the attack who explained this was his first hack ever, and he did not plan to take down all websites hosted on Freedom Hosting II.

“On Saturday, the hacker claiming responsibility told me in more detail how and why they took down the service.” wrote Cox.

“This is in fact my first hack ever,” they said in an email sent from the same address posted to the hacked Freedom Hosting II sites. “I just had the right idea.”

The hacker, who first compromised the service on January 30, told Vice that they found ten child pornography sites that had uploaded so much content that it accounted for nearly half of the total Freedom Hosting II files.

The security expert Chris Monteiro who analyzed some of the dumped data confirmed that archive includes .onion URLs hosting botnets, fraud sites, fetish websites hacked data, and of course child abuse websites.

The archive is full of private keys related to the dark web sites that could be used to impersonate them.

Below the step-by-step procedure followed by Anonymous to hack Freedom Hosting II.

1. create a new site or login to an old one
2. login and set sftp password
3. login via sftp and create a symlink to /
4. disable DirectoryIndex in .htaccess
5. enable mod_autoindex in .htaccess
6. disable php engine in .htaccess
7. add text/plain type for .php files in .htaccess
8. have fun browsing files
9. find /home/fhosting
10. look at the content of the index.php file in /home/fhosting/www/
11. find configuration in /home/fhosting/www/_lbs/config.php
12. copy paste database connection details to phpmyadmin login
13. find active users with shell access in /etc/passwd
14. look through the scripts and figure out how password resets work
15. manually trigger a sftp password reset for the user 'user'
16. connect via ssh
17. run 'sudo -i'
18. edit ssh config in /etc/ssh/sshd_config to allow root login
19. run 'passwd' to set root password
20. reconnect via ssh as root
21. enjoy

Stay Tuned.

[adrotate banner=”9″]adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Freedom Hosting II, Anonymous)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.