Hackers erase 6,500 sites from the Dark Web in one attack
One of the most popular Dark Web hosting services – Daniel’s Hosting – was slaughtered last week when attackers hosed it clean of about 6,500 hidden services. The admin says they’re gone for good: he hasn’t even figured out where the vulnerability is yet.
The administrator at Daniel’s Hosting is a German software developer named Daniel Winzen, who acknowledged the attack on the hosting provider’s portal. Winzen said that it happened on Thursday night, a day after a PHP zero-day exploit was leaked.
There is no way to recover from this breach, all data is gone. I will re-enable the service once the vulnerability has been found, but right now I first need to find it.
Forget it. This is the Dark Web.
Winzen told ZDNet that there ain’t no such thing as backups on Daniel’s Hosting, by design:
Unfortunately, all data is lost and per design, there are no backups.
As of last week, Winzen said his priority was to do a full analysis of the log files. He had determined that the attacker(s) had gained administrative database rights, but it’s looking like they didn’t get full system access. Some accounts and files that weren’t part of the hosting setup were left “untouched,” he said.
Other than the root account, no accounts unrelated to the hosting were touched and unrelated files in
/home/weren’t touched either. As of now there is no indication of further system access and I would classify this as a “database only” breach, with no direct access to the system. From the logs it is evident that both, adminer and phpmyadmin have been used to run queries on the database.