Deep Hosting, a major darknet host on the Tor network, was hacked recently and data from some of the hidden sites and linked databases hosted on the server were exfiltrated. A hacker named Dhostpwned was able to take over the Deep Hosting servers by using a PHP shell and a Perl shell. The hacker registered for a shared hosting account on Deep Hosting and then uploaded the PHP shell and the Perl shell.
Deep Hosting has determined that the hacker was unsuccessful in executing the Perl shell, but was successful in executing the PHP shell. “A large part of the PHP shell is unusable since a certain number of functions are blocked on the shared servers but one function was not blocked. The attacker was able to access the server and execute a command with limited rights,” Deep Hosting announced on a page on their wiki. A day went by before the administrators of Deep Hosting realized the hack was occurring on their server. Once Deep Hosting realized they had been hacked and found the source of it, they changed passwords for all FTP and SQL services for all Deep Hosting user accounts.
Dhostpwned told Bleeping Computer that he had stolen 91 hidden sites from Deep Hosting’s servers. A majority of those 91 hidden sites are currently down, having gone offline when Deep Hosting changed passwords for all SQL services. Among the 91 hidden sites that were affected by, and knocked offline by, the hack included hacking forums, drug marketplaces, carding markets, and malware repos. Dhostpwned also told Bleeping Computer that Deep Hosting’s shared hosting services had appalling security.
One of the 91 hidden sites to go down from the hack was the MNG darknet market. The MNG market hosts listings for a variety of illicit products. MNG market used a Virtual Private Server (VPS) hosted by Deep Hosting. According to Dhostpwned, the administrators of MNG market had forgotten to change the default password for their VPS box. The hacker uploaded a text file named kek.txt, the contents of which said “gg -deephosting security is shit”. Not long after the hacker posted the text file taunting Deep Host and their poor security, that server also went down. Dhostpwned claimed that he “accidentally” wiped the master boot record for MNG market’s server.
Dhostpwned has not released a dump of any of Deep Hosting’s files, nor of the files of Deep Hosting’s users. The hacker claims he has no intentions of releasing a dump in the future either. This of course is not the first time a major darknet hidden services host has been hacked and taking down a large number of hidden sites. In 2011 hackers took down Freedom Hosting, and in 2013 a group of hackers associated with the hacker group Anonymous took down Freedom Hosting II. The hacking of Freedom Hosting II brought down what at the time was 15-20% of all of the hidden sites hosted on the Tor network.
The Anonymous hackers claimed that over half of the sites being hosted by Freedom Hosting II were serving child pornography, despite Freedom Hosting II proclaimed policy of having zero tolerance for child pornography. The hackers released a torrent of a database dump from Freedom Hosting II. The hackers believe that Freedom Hosting II was being run by one person. The hackers who took down Freedom Hosting II also believe that one person also was well aware of the child pornography being hosted on their servers, since many of the sites hosting child pornography exceeded the quota of disk space for free hosting, and would have been from paid hosting accounts.
Below is a list of the 91 hidden sites affected by the Deep Hosting hack: