• The hackers have deleted the root account of the server and Daniel Winzen will be able to re-enable the service only after the detection of the vulnerability.
  • The mail and XMPP service including the static content and the short link service hosted on Daniel’s Hosting Raspberry Pi 3 remain unaffected

Daniel’s Hosting, one of the largest providers of Dark Web hosting services, has been compromised and taken offline by hackers. The incident occurred on November 15, 2018, and has resulted in the loss of 6500 plus Dark Web services hosted on the platform.

The news was confirmed by Daniel Winzen, the founder of Daniel’s Hosting.

"On November 15th around 10-11 PM UTC, the hosting server got hacked. As per my analysis, it seems someone got access to the database and deleted all accounts" Winzen wrote on the DH website.

Winzen also declared that hackers have deleted the root account of the server and that there is no way to recover from the loss. The service cannot be re-enabled unless the vulnerability is detected.

“Noteworthy, also the account “root” has been deleted. To this day around 6500 Hidden Services were hosted on the server. There is no way to recover from this breach, all data is gone. I might re-enable the service once the vulnerability has been found, but right now I first need to find it, “said Winzen.

The investigation is on and Winzen is yet to get a full analysis report of the log files. However, based on their preliminary findings, it has been found that hackers have gained access to administrative database rights.

"As of now I haven't been able to do a full analysis of the log files and need to further analyze them, but based on my findings so far I believe that the hacker has only been able to gain administrative database rights. There is no indication of having had full system access and some accounts and files that were not part of the hosting setup were left untouched," Daniel told ZDNet.

According to Winzen, the hack was possible as the source code of Daniel’s Hosting was available as open-source on GitHub. This might have helped the attackers to find the zero-day flaws in order to further their attack process.

“The scripts are open source on GitHub and anyone is welcome to take it as a base to build a new hosting service or help find the vulnerability,” Winzen stated.

However, the mail and XMPP service including the static content and the short link service - that were hosted on Daniel’s Hosting Raspberry Pi 3 - remain unaffected. The chat service has been restored and other services are expected to be back online by December this year.

While the threat actor behind the hack is yet to be confirmed, Winzen explains that he has identified one flaw, named PHP zero-day vulnerability just a day before the hack.

"It is a vulnerability reported as a possible point of entry by a user and my setup was, in fact, vulnerable. However I would deem it as unlikely to have been the actual point of entry as the configuration files with database access details was read-only for the appropriate users and commands run by this vulnerability shouldn't have had the necessary permissions,” Winzen told ZDNet.

Dark-web hosting sites have been frequently targeted in the past because they host a copious amount of illegal content. Some of the better-known dark-web hacks include takedown of Freedom Hosting in 2013 and Freedom Hosting II in 2017.

Cyware Publisher