Popular Dark Web Hosting Provider Hacked, Many Sites Hit

Thousands of websites were impacted when Daniel’s Hosting, the prominent Dark Web hosting provider was hacked recently.

As per reports, Daniel’s Hosting was hacked this week and taken offline, which led to over 6,500 websites being impacted. The websites are all down and all data has been lost in the breach that happened on November 15.

Daniel Winzen, who runs Daniel’s Hosting, posted a statement on the DH portal, which reads, “On November 15th around 10:06 PM UTC the hosting server was logged in to via phpmyadmin and adminer with the correct hosting management password and deleted all accounts. Noteworthy, also the account “root” has been deleted, which was injected into the database at 10:53 PM UTC and deleted at 12:50 AM, shortly after remaining databases from the chat, link list and hit counter got deleted.”

The statement further says, “Unfortunately it is not possible to find the root cause by log analysis as on 14th at 5:33 the database had already been accessed with this user and it is unknown for how long the hackers may have had access to the database due to rotating logs frequently. However, the database password was last updated on October 20th, which indicates that the hack must have happened within the last month.”

Winzen states that around 6500 Hidden Services were hosted on the Daniel’s Hosting server and that all data is gone as there is no way to recover from the breach.

His statement further reads, “I will re-enable the service once the vulnerability has been found, but right now I first need to find it. Most likely in December the service will be back up.”

Post the breach, Winzen has been looking at all possible vulnerabilities and trying to find out how the hackers might have accessed his server. He has reportedly identified a flaw, a PHP zero-day vulnerability, details of which were already known, for almost a month in the Russian PHP programming circles. Daniel Winzen, however, believes that this flaw might not be the hackers entry point, though the flaw had gained attention among the wider programming and infosec communities on November 14, the day before the hack happened.

A ZDNet report dated November 17, 2018 quotes Daniel Winzen as saying- “It is a vulnerability reported as a possible point of entry by a user and my setup was, in fact, vulnerable. However, I would deem it as unlikely to have been the actual point of entry as the configuration files with database access details were read-only for the appropriate users and commands run by this vulnerability shouldn’t have had the necessary permissions.”
Winzen reportedly believes that the hackers have only gained administrative rights; he has reportedly stated that there are no indications that they have had full system access.

Till the service is back, Daniel Winzen would be posting updates on the DH portal as and when the investigation progresses. Winzen hopes to take the hack as an opportunity to start afresh with a new, improved setup.

Daniel’s Hosting has all sorts of clients; the service has been used to host political blogs, malware operations etc. Hence the hackers could either be nation-state hackers or rival cybercrime gangs, as per reports.

The ZDNet report makes a notable inference; it reads, “The hack might have also been facilitated by the fact that the DH service’s source code has always been open-sourced on GitHub and might have provided attackers with a more broad look into the service’s inner guts.”

“Investigation is continuing. Not affected are the mail and XMPP service, as well as the static content and the short-link service, which were hosted on my Raspberry Pi 3. The chat is restored with a fresh installation and other services will be back up soon. I expect to get the hosting back up in December,” says Daniel Winzen’s official statement.