Hacker takes out dark web hosting service using well-known exploit
Freedom Hosting II allegedly was hosting child pornography sites, according to hacker
By Michael Kan
A hacker is proving that sites on the dark web, shrouded in anonymity, can easily be compromised.
On Friday, the unnamed hacker began dumping a sizable database stolen from Freedom Hosting II onto the internet, potentially exposing its users.
The hosting service, Freedom Hosting II, was known for operating thousands of sites that were accessible through the Tor browser; the “dark web” is essentially the encrypted network comprising Tor servers and browsers. But on Friday, the service appeared to be down. Its main landing page was replaced with a message saying that it had been hacked.
Allegedly, Freedom Hosting II had been hosting child pornography sites, though its anonymous operator claimed to have a zero-tolerance policy toward such content, according to the hacker behind the breach.
“What we found while searching through your server is more than 50% child porn…” the hacker wrote in the message left on the site. “Moreover, you host many scam sites, some of which are evidently run by yourself to cover hosting expenses.”
In an email to the IDG News Service, the hacker explained how the breach came about. “I just recently read an article about a well-known exploit that some hosting providers fell victims of many years ago,” the person said.
Freedom Hosting II worked as a free service that allowed anyone to sign up and create a site on the dark web. However, starting on Jan. 30, the hacker gained access to its web server, using a 20-step method.
The hack essentially involved starting a new site on Freedom Hosting II and creating a link to gain access to the service’s root directory. This allowed the hacker to browse the entire server.
“I was just curious at first,” the person said. “I had reading permissions to everything the web server could get access to just by creating a symlink to / (the root directory).”
After coming across child porn sites, the hacker decided to take over Freedom Hosting II by altering its configuration file to trigger a password reset.
“Once I found out what they were hosting, I just wanted to shut them down,” said the hacker, who’s also been circulating what he stole through a torrent file.
The dump includes 74GB of files and a 2.3GB database from the service, the hacker claims.
“The IP of the server has been leaked, which potentially could reveal the admin’s identity,” the hacker added.
Chris Monteiro, a cybercrime researcher based in the U.K., has been looking through the data dump, which he said appears to be real. The information includes the sites that Freedom Hosting II had been operating, along with the admin credentials to access them.
The dump also appears to contain a client database, meaning that anyone who used Freedom Hosting II might be exposed, Monteiro said.
“We’re going to see emails, usernames, all of which can be used by law enforcement for prosecution of people,” he said.
In addition, the dump contains forum posts from users mentioning sex with minors, the sale of hacked internet accounts, and files that reference botnets and online scamming.
Freedom Hosting II was the largest shared hosting service on the dark web, Monteiro said. It was specifically designed for users who wanted anonymous hosting, but who lacked the know-how to set it up, he said.
However, many of the sites hosted by the service were probably small. “I doubt we’ll find any large sites operating child porn,” he said of the data dump.
According to the hacker’s message, Freedom Hosting II was responsible for 10,613 sites. However, the database dump indicates that a vast majority of those sites had only a few dozen or hundreds of user visits.
Troy Hunt, a data breach expert, said in a tweet that he noticed the database dump contained 381,000 email addresses.
“Law enforcement will absolutely have this data, it’s very public. It also obviously has many real email addresses in it,” he tweeted.
Privacy researcher Sarah Jamie Lewis has also been researching Freedom Hosting II. In October, she wrote that the service had been hosting sites that sold counterfeit documents and stolen credit card numbers, in addition to those that operated as personal blogs and web forums.