Naked Security Naked Security

Thousands of Dark Web sites deleted in attack on free hosting service

It's the second time that the popular Daniel's Hosting platform was attacked in 16 months. This time, 7,600 Dark Web sites were obliterated.

One of the most popular Dark Web hosting services, Daniel’s Hosting (DH), has been slaughtered. Again.
Daniel Wizen, the German software developer who runs DH, said that this time, the provider of free hosting services is kaput… at least for the foreseeable future… which he also said, more or less, last time, in September 2018, when hackers rubbed 6,500 sites off the Dark Web in one fell swoop.
Wizen acknowledged the attack in a post on the hosting provider’s portal, saying that the recent attack happened last Tuesday – 10 March – during the small hours. At least, that’s when all databases associated with hosting Dark Web sites were deleted.
DarkOwl – a darknet intelligence, tools, and cybersecurity outfit that keeps an eye on DH and other Dark Web goings-on and which analyzed the September 2018 breach – spotted Wizen’s post and shared it on Twitter on 10 March. That’s the same day that Wizen says his hosting database got knocked out.
As Wizen tells it, he found that a new database had been created that had user permissions. He can’t do much with that, though: without his hosting database, he can’t figure out who they are and how they got full permissions on the platform.


According to ZDNet, the attack took down 7,600 sites. Wizen says he’s not entirely sure when it happened, nor who did it. If anybody has ideas about what vulnerability might have led to the attack, or ideas for future versions or feature requests, he’s invited them to share input on his open source project.
Wizen also invited supporters to chip in to help out his efforts: invitations that suggest that he’ll likely resurrect the hosting provider at some point. At this point, he’s fed up, he says. He gives freely of his time, which adds on to his full-time job. It’s time-consuming, he said, particularly given the work it takes to “keep the server clean from illegal and scammy sites.”

I spend 10 times more time on deleting accounts than I can find time to continue development. At this time I do not plan on continuing the hosting project, but this doesn’t have to be the end.

How clean are the servers at Daniel’s Hosting? When DarkOwl analyzed the demolished sites at the time of the 2018 attack, its analysts found that out of 6,500 sites, the world lost the following – not all of which are what you’d call “I’d eat from that plate” clean:

  • 657 of the hidden services had the title “Site Hosted by Daniel’s Hosting Service” and little else (but may have been used for something other than serving web content).
  • 457 of the hidden services contain content related to hacking and/or malware development.
  • 304 were classified as forums.
  • 148 were chatrooms.
  • 136 included drug-specific keywords.
  • 109 contained content related to counterfeiting.
  • 54 specifically mentioned carding information.
  • Over 20 referred to weapons and explosives.

DarkOwl says stay tuned: it’s now preparing an analysis of what the Dark Web lost from last week’s attack on DH.
Of course, not all sites on the Dark Web are devoted to illegal activity. Some are there for the privacy-minded, and/or for those living in areas of tight government censorship and repression.
According to ZDNet, by design, the hosting service doesn’t keep backups. Wizen thinks that the attack only affected the backend database account, not the accounts of users who had been hosting sites on his platform. Still, he said, users should “treat all data as leaked” and change their passwords if they reuse them on other sites. Which, of course, underscores the fact that none of us should be reusing passwords, be we political dissidents or whether we’re up to more unsavory activity (though we have a tough time feeling sympathy for the latter if their credentials get hacked).
Better safe than sorry, Wizen says – particularly given that he hasn’t had much time to figure out what, exactly, happened:

[As] I am currently very busy with my day-to-day life and other projects, I decided to not spend too much time investigating.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.