Last week, one of the most popular Dark Web hosting services – Daniel’s Hosting – was attacked using a PHP zero-day exploit. The result : the server’s root account was also deleted, and that all 6,500+ Dark Web services hosted on the platform are gone.
Daniel noted on the website that “the hosting server was logged in to via phpmyadmin and adminer with the correct hosting management password and deleted all accounts. Noteworthy, also the account “root” has been deleted, which was injected into the database at 10:53 PM UTC and deleted at 12:50 AM, shortly after remaining databases from the chat, link list and hit counter got deleted.”
It was not possible for the service to find the root cause by log analysis, as the database had already been accessed with this user and it is unknown for how long the hackers may have had access to the database due to rotating logs frequently.
To this day around 6500 Hidden Services were hosted on the server. There is no way to recover from this breach, all data is gone.
In the dark web, there is no backup by design, so if a data is lost, it’s lost forever. According to Dark Owl “Daniel of the Dark Net goes dark!” : Over 30% of the operational and active hidden services across Tor and I2P disappeared with the hack of Daniel’s Hosting Services and over 6-Million documents archived in DarkOwl Vision are no longer available on the darknet.
A fix have been posted, related to phpmyadmin however the bug which is about Bypassing disabled exec functions in PHP via imap_open is still there.
A list of php functions that should be left disabled unless needed is published in OWASP, however it doesn’t include yet imap_open.
