A hacker took over a dark web hosting provider by exploiting a “major security vulnerability” and thereby accessing a server.
On 8 July, an attacker calling themselves “Dhostpwned” set up a shared hosting account on the service offered by Deep Hosting. They used that account to upload two shells on their servers. One was written in PHP, whereas the other was written in Perl.
Deep Hosting outlines what happened next in a wiki page entitled “Major Security Vulnerability.”
As quoted by Bleeping Computer:
“The Perl shell can not be executed on the server, but the PHP shell can be executed on the server. A large part of the PHP shell is unusable since a certain number of functions are blocked on the shared servers but one function was not blocked. The attacker was able to access the server and execute a commands with limited rights.”
Dhostpwned’s “limited rights” were apparently sufficient for the hacker to reach more than 90 websites managed by Deep Hosting. Among them were hacking forums, malware repositories, and drug marketplaces. One such marketplace known as M.N.G Market went down after the attacker uploaded a text file to the server’s public root file and accidentally wiped their hard drive’s Master Boot Record (MBR).
The hacker put it plain and simple to Bleeping Computer in a private conversation:
“I hacked them. Their shared hosting was appauling [sic] in terms of security. I’ve got the majority of files hosted from the site, all of their sql dbs. [sic] There was an assassination network hosted on it but i didnt end up getting into that since it was a vps hosted by them and they didnt have any sort of panel to access the vps.”
According to Deep Hosting’s wiki page, it took the dark web hosting provider nearly a day to detect the intrusion, figure out what happened, and change passwords for all hosted sites (FTP and SQL). As a result of that response, most of the affected websites are now down.
At this time, Dhostpwned hasn’t overtly advertised for sale any of the information they stole in the attack.
There’s little known about the party responsible for the security incident. It’s difficult to evaluate the hacker’s level of technical expertise, for example, as the vulnerabilities they exploited weren’t exactly new. Ilia Kolochenko, CEO of web security vendor High-Tech Bridge, says such flaws affected legitimate hosting sites a decade ago. As quoted by Infosecurity Magazine:
“It’s a bit surprising to see them now on the dark web accompanied with a lack of security fundamentals and server hardening. Law enforcement agencies can probably explore the legality of offensive operations in the dark web in order to investigate and prevent amateur cybercrime. However, I doubt they will spot professional Black Hats. Experienced cyber mercenaries use very well-hidden infrastructure – often lawfully hosted in public clouds, such as AWS – and avoid any publicity on the dark web and its market places.”
News of this incident follows several years after Europol, the FBI, and others seized hundreds of dark web sites by targeting specific hosting companies as part of an international takedown known as “Operation Onymous.”