6,500+ sites deleted after Dark Web hosting provider Daniel’s Hosting hack

On Thursday, November 15, hackers compromised Daniel’s Hosting, one of the largest Dark Web hosting provider, and deleted 6,500+ sites.

On Thursday, November 15, hackers compromised Daniel’s Hosting, one of the largest Dark Web hosting provider. The news was confirmed by Daniel Winzen, the software developer behind the hosting service.

Daniel’s Hosting became the largest Dark Web hosting provider earlier 2017 when Anonymous members breached and took down Freedom Hosting II.

More than 6500 Dark Web services hosted on the platform were completely deleted and the bad news is that it is not possible to recover them because there are no backups as per design choice of the operator.

Winzen explained that hackers breached into Daniel’s Hosting database and deleted all data. The attackers exploited a PHP zero-day exploit leaked just a day before the hack and that was already fixed in db626a54a4f5, but likely attackers used other flaws.

“On November 15th around 10-11 PM UTC the hosting server got hacked. As per my analysis it seems someone got access to the database and deleted all accounts.” Winzen wrote on the DH website today.

“Noteworthy, also the account “root” has been deleted. To this day around 6500 Hidden Services were hosted on the server. There is no way to recover from this breach, all data is gone. I might re-enable the service once the vulnerability has been found, but right now I first need to find it.”

Winzen his assessing the platform searching for vulnerabilities that attackers might have exploited to compromise the server.

“As of now I haven’t been able to do a full analysis of the log files and need to further analyze them, but based on my findings so far I believe that the hacker has only been able to gain administrative database rights. There is no indication of having had full system access and some accounts and files that were not part of the hosting setup were left untouched,” Winzen told ZDNet.

“I might re-enable the service once the vulnerability has been found, but right now I first need to find it.”

The source code of Daniel’s Hosting platform has been available as open-source on GitHub, a circumstance that might have helped the attackers in review the code and find zero-day flaws to exploit.

Who is the culprit?

It is very hard to attribute the attack to specific threat actors, cybercrime syndicates, nation-state hackers, intelligence, and law enforcement agencies are all possible suspects with valid motivations.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Securi ty Affairs – Daniel’s Hosting, dark web)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.