Darknet hoster Deep Hosting has claimed to have suffered a major security breach over the weekend which led to some of its customers’ data being compromised.
The hacker registered a shared account with the platform then used it to upload two shells to its servers, one in PHP and one written in Perl. The former was able to execute.
“A large part of the PHP shell is unusable since a certain number of functions are blocked on the shared servers but one function was not blocked,” Deep Hosting wrote in a wiki page seen by Bleeping Computer. “The attacker was able to access the server and execute a command with limited rights.”
After nearly 24 hours, the site admins worked out what had happened and decided to disable the PHP function in question, patch all hosted sites and change all of their FTP and SQL passwords.
Over 90 sites hosted by Deep Hosting appear to have been affected, including drugs marketplaces, malware repositories and carding forums.
“We believe that some sites have been exported,” the site reportedly admitted. “It is possible that the linked databases were also recovered.”
The hacker also managed to compromise other servers, accidentally wiping the Master Boot Record of one customer, according to the report.
Curiously, the attacker appears not to be interested in releasing or selling any of the data obtained in the hack.
Ilia Kolochenko, CEO of web security vendor High-Tech Bridge, argued that the vulnerabilities exploited by the hacker were popular on legitimate shared hosting sites a decade ago.
“It’s a bit surprising to see them now on the dark web accompanied with a lack of security fundamentals and server hardening. Law enforcement agencies can probably explore the legality of offensive operations in the dark web in order to investigate and prevent amateur cybercrime,” he added.
“However, I doubt they will spot professional Black Hats. Experienced cyber mercenaries use very well-hidden infrastructure – often lawfully hosted in public clouds, such as AWS – and avoid any publicity on the dark web and its market places.”
A Trend Micro report from March revealed that dark web players are continually under attack from rivals looking to disrupt their services.