Hackers Destroy Germany-Based Daniel’s Hosting

Last week, Daniel’s Hosting, one of the Dark Web’s most popular hosting services, was utterly destroyed by a cyber attack resulting in over 6,500 onion sites getting deleted. The leading admin, Daniel Winzen, told sources that Daniel’s Hosting is finished for good, adding that they haven’t even gotten close to discovering the vulnerability exploited by the attackers.

Winzen is also a German software developer (given the name, the owner of Daniel’s Hosting). He is the one who acknowledged the hosting provider’s portal had been attacked on Thursday night, the day after the php zero-day exploit leak.

Winzen also said that service could very likely be back up and running by December of but was not able to give a specific date. He also added that the “root” account had even been deleted, including data belonging to an estimated 6,500 Dark Web sites. Winzen told ZDNet that by design there are no backups for this type of operation – for obvious reasons.

There is no way to recover from this breach, all data is gone. I will re-enable the service once the vulnerability has been found, but right now I first need to find it.

Three critical zero-day vulnerabilities have been discovered in PHP 7 that could allow an attacker to take complete control over 80 percent of websites which run on the latest version of the popular web programming language.

Last week, Winzen said he wanted to prioritize doing a complete analysis of the server’s log files. By the start of this past week, he had figured out that the hacker(s) gained administrative database rights. However, evidence shows they never got full system access. Winzen noticed that a few accounts and their files that were separate from the part of the hosting setup that was successfully attacked.

Other than the root account, no accounts unrelated to the hosting were touched and unrelated files in /home/ weren’t touched either. As of now there is no indication of further system access and I would classify this as a “database only” breach, with no direct access to the system. From the logs it is evident that both, adminer and phpmyadmin have been used to run queries on the database.

Though No One Like Being Hacked, It’s Not As Bad As It Seems

According to Dark Owl, when the attacker(s) took out Daniel’s Hosting, they erased over 30% of the operational and active hidden services across Tor and the Invisible Internet Project (I2P) – an anonymous network layer that allows for censorship-resistant, peer-to-peer communication. ZDNet’s Catalin Cimpanu tweeted on Monday night that this pretty much matched his own calculations.

The attacker(s) also deleted over six million documents that DarkOwl – a provider of darknet content and tools, as well as cybersecurity defenses – had archived on the Dark Net.

This is what the world lost when Daniel’s Hosting went belly-up, Dark Owl says:

  • 657 of the hidden services had the title “Site Hosted by Daniel’s Hosting Service” and little else (but may have been used for something other than serving web content).
  • Most (over 4900) were in English, 54 were in Russian and two of the oldest were in Portuguese.
  • 457 of the hidden services contain content related to hacking and/or malware development.
  • 304 have been classified as forums.
  • 148 of them are chatrooms.
  • 136 include drug-specific keywords.
  • 109 contain counterfeit-related content.
  • 54 specifically mention carding-specific information.
  • Over 20 contain content including weapons and explosive-related keywords.

For better or worse, the takedown of Daniel’s Hosting means that a “pillar of the darknet community” that’s served up a chatroom and online-link list for years, free of charge, has been demolished, Dark Owl says.

For example, his online-link list is referenced by nearly 500 other hidden services, making it the second most commonly referred to directory listing (behind Fresh Onions) and providing a foundational starting point for new users navigating Tor.

Dark Owl has some theories about who could have been behind the attack. It could have been Russian hackers, who’ve recently outlined the technical details of exploiting PHP’s imap_open() function to extract password hashes for privileged accounts, as an alternative to brute-force mining.

Then again, it could have been anybody who’s against easy posting and sharing of child abuse images. Dark Owl reports that Winzen, back in 2016, made life easier for people to share such images on Tor without potentially exposing their identities:

As a result, Daniel’s LE-Chat code became a popular platform for the darknet pedophilia community, and the home for many well-known Child Pornography sharing chatrooms such as Tabooless, Camp Fire, and Child Priori.

There are also theories about the portal being taken down by law enforcement. For one thing, a chatroom, Daniel’s Chat, quietly resurfaced on Saturday, but it lacked the member database and credentials that had enabled users to verify chat participants’ identities.

Or perhaps Daniel had been arrested, and it’s not even really him who’s posting on the site and sending email to news outlets? As it is, the providers’ hidden services experienced what Dark Owl said was “extreme” distributed denial of service (DDoS) attacks leading up to the attack, “similar to other law enforcement-led darknet seizure operations.”

Those are just some of the theories.

The attack shows how surprisingly centralized the Dark Web really is, and that there are no ironclad promises that its potent anonymity features will shield you.

Whether it’s law enforcement catching drug dealers with a fake Bitcoin exchange or simple misconfigurations that expose server IP addresses, you have to take heed: just because you’re using Tor doesn’t necessarily mean you’re safe, whether you’re a criminal or somebody seeking anonymity for noncriminal reasons.