Pierluigi Paganini February 05, 2017

The group of hacktivists Anonymous hacked the popular Freedom Hosting II Dark Web hosting provider, a fifth of the .onion websites is down.

The collective Anonymous is back, this time the hacker groups breached Freedom Hosting II, a popular Dark Web hosting provider.

After the closure of the original Freedom Hosting, Freedom Hosting II (FHII) become one of the largest onion web hosting providers, it is offering free space to any user who signs up for an account.

Anonymous targeted the popular Tor hosting provider because it was providing its services to a large number of websites sharing child pornography image.

The cyber attack was first spotted by Sarah Jamie Lewis, a privacy researcher at mascherari.press, who noticed the mass defacement during a regular scan of the Tor network.

Looks like Freedom Hosting II got pwned. They hosted close to 20% of all dark web sites (previous @OnionScan report) https://t.co/JOLXFJQXiH

— Sarah Jamie Lewis (@SarahJamieLewis) February 3, 2017

Since OnionScan started in April, Sarah Jamie Lewis and her team have observed FHII hosting between 1500 and 2000 services or about 15-20% of the total number of active sites in our scanning lists (data related to the last report published in October).

Back to the present, 10,613 .onion sites have taken down as a result of the Freedom Hosting II hack, all sites have been defaced with the following image. As you can see, the Anonymous message also includes a list of hacked websites.

Source Bleepingcomputer.com

Below the message published by Anonymous

“Hello Freedom Hosting II, you have been hacked

We are disappointed… This is an excerpt from your front page ‘We have a zero tolerance policy to child pornography.’ – but what we found while searching through your server is more than 50% child porn…

Moreover you host many scam sites, some of which are evidently run by yourself to cover hosting expenses.

All your files have been copied and your database has been dumped. (74GB of files and 2.3GB of database)

Up to January 31st you were hosting 10613 sites. Private keys are included in the dump. Show full list

We are Anonymous. We do not forgive. We do not forget. You should have expected us.

Thanks for your patience, you don’t have to buy data we made a torrent of the database dump download here

Here another torrernt with all system files (excluding user data) download

You may still donate BTC to 14iCDyeCSp12AmhVfJGxtrzXDabFop4QtU and support us.

If you need to get in contact with us, our mail is fhosting@sigaint.org

We repeatedly get asked how we got into the system. It was surprisingly easy. Here is how we did it: HOW TO HACK FH2“

Further analysis revealed that the attackers received at least two payments in their Bitcoin wallet, but they opted to publicly leak the data dump via torrent files.

Watch out, the 2.3 GB dump may contain disturbing images, don’t download the archive if you don’t need it. Anonymous claims to have downloaded 74GB of files.

Joseph cox from Motherboard interviewed one of the Anonymous hackers involved in the attack who explained this was his first hack ever, and he did not plan to take down all websites hosted on Freedom Hosting II.

“On Saturday, the hacker claiming responsibility told me in more detail how and why they took down the service.” wrote Cox.

“This is in fact my first hack ever,” they said in an email sent from the same address posted to the hacked Freedom Hosting II sites. “I just had the right idea.”

The hacker, who first compromised the service on January 30, told Vice that they found ten child pornography sites that had uploaded so much content that it accounted for nearly half of the total Freedom Hosting II files.

The security expert Chris Monteiro who analyzed some of the dumped data confirmed that archive includes .onion URLs hosting botnets, fraud sites, fetish websites hacked data, and of course child abuse websites.

The archive is full of private keys related to the dark web sites that could be used to impersonate them.

It's hungry work combing through these leaked databases pic.twitter.com/A6Dstu52No

— dekushrub@infosec.exchange (@Deku_shrub) February 3, 2017

Did you know you can access the WWE from the hacked accounts on the darknet? Am disappointed at the lack of John Cena references pic.twitter.com/It3TKWjd5q

— dekushrub@infosec.exchange (@Deku_shrub) February 3, 2017

Looks like some botnets will have been knocked out in the Freedom Hosting II hack too pic.twitter.com/UaVOiFSrr3

— dekushrub@infosec.exchange (@Deku_shrub) February 3, 2017

Below the step-by-step procedure followed by Anonymous to hack Freedom Hosting II.

1. create a new site or login to an old one
2. login and set sftp password
3. login via sftp and create a symlink to /
4. disable DirectoryIndex in .htaccess
5. enable mod_autoindex in .htaccess
6. disable php engine in .htaccess
7. add text/plain type for .php files in .htaccess
8. have fun browsing files
9. find /home/fhosting
10. look at the content of the index.php file in /home/fhosting/www/
11. find configuration in /home/fhosting/www/_lbs/config.php
12. copy paste database connection details to phpmyadmin login
13. find active users with shell access in /etc/passwd
14. look through the scripts and figure out how password resets work
15. manually trigger a sftp password reset for the user 'user'
16. connect via ssh
17. run 'sudo -i'
18. edit ssh config in /etc/ssh/sshd_config to allow root login
19. run 'passwd' to set root password
20. reconnect via ssh as root
21. enjoy

Stay Tuned.

[adrotate banner=”9″]adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Freedom Hosting II, Anonymous)