Anonymous hackers have breached Freedom Hosting II, a popular Dark Web hosting provider, and have taken down 10,613 .onion sites.
Since all websites were interconnected by Freedom Hosting II’s underlying infrastructure, all sites have been defaced with the same message, as portrayed below:
Sarah Jamie Lewis, an anonymity & privacy researcher for mascherari.press, was first to spot the mass defacement as part of her regular scans of the Onion space (term used to describe Dark Web portals running on the Tor network).
In the defacement message, the Anonymous hackers also left a list of all hacked websites. We’ve reproduced the full list here.
This is the latest version of the defacement message:
Hello Freedom Hosting II, you have been hacked
We are disappointed… This is an excerpt from your front page ‘We have a zero tolerance policy to child pornography.’ – but what we found while searching through your server is more than 50% child porn…
Moreover you host many scam sites, some of which are evidently run by yourself to cover hosting expenses.
All your files have been copied and your database has been dumped. (74GB of files and 2.3GB of database)
Up to January 31st you were hosting 10613 sites. Private keys are included in the dump. Show full list
We are Anonymous. We do not forgive. We do not forget. You should have expected us.
Thanks for your patience, you don’t have to buy data 😉 we made a torrent of the database dump download here
Here another torrernt with all system files (excluding user data) download
You may still donate BTC to 14iCDyeCSp12AmhVfJGxtrzXDabFop4QtU and support us.
If you need to get in contact with us, our mail is firstname.lastname@example.org
We repeatedly get asked how we got into the system. It was surprisingly easy. Here is how we did it: HOW TO HACK FH2
Edit: couldn’t reply to clearnet – new mail
Edit2: database dump added
Edit3: added instructions on how we got into the system
Edit4: system files added
According to the above message, the hackers claim to have found massive troves of child pornography imagery hosted on the company’s servers.
It appears that initially, the hackers featured a different defacement message, one that asked Freedom Hosting II to pay 0.1 Bitcoin (~$200) in order to recover their data, as per this The Verge article.
Despite the hackers receiving two payments in their Bitcoin wallet, they later decided to dump the data publicly, which is now available for download as torrent files. Since some of the files contain sensitive images, we removed the download links from the defacement message above.
Hackers dump 75GB of data
The hackers claim to have downloaded 74GB of files and a database dump of 2.3GB.
In an interview with Vice, one of the Anonymous hackers said this was his first hack ever, and he never intended to take down all of the hosting provider customer sites.
He says he took this step after finding files related to child pornography. What angered the hackers was the fact that these child pornography portals had gone well over the standard Freedom Hosting II free quota, meaning the hosting company knew and profited off these sites.
The hacker told Vice that they found ten such sites, which had uploaded so much content that it accounted for nearly half of the total Freedom Hosting II files. Freedom Hosting II offers free web hosting for Dark Web sites for up to 256MB.
Hacked data contains all you expected
Security researcher Chris Monteiro has analyzed some of the dumped data. He says he discovered .onion URLs hosting botnets, fraud sites, sites peddling hacked data, weird fetish portals, more weird stuff, and child abuse websites targeting both English and Russian speaking buyers [NSFW links].
The group later also published a step-by-step explanation on how they hacked the Dark Web hosting provider.
here is how we did it:
1. create a new site or login to an old one
2. login and set sftp password
3. login via sftp and create a symlink to /
4. disable DirectoryIndex in .htaccess
5. enable mod_autoindex in .htaccess
6. disable php engine in .htaccess
7. add text/plain type for .php files in .htaccess
8. have fun browsing files
9. find /home/fhosting
10. look at the content of the index.php file in /home/fhosting/www/
11. find configuration in /home/fhosting/www/_lbs/config.php
12. copy paste database connection details to phpmyadmin login
13. find active users with shell access in /etc/passwd
14. look through the scripts and figure out how password resets work
15. manually trigger a sftp password reset for the user 'user'
16. connect via ssh
17. run 'sudo -i'
18. edit ssh config in /etc/ssh/sshd_config to allow root login
19. run 'passwd' to set root password
20. reconnect via ssh as root
According to a report from October 2016, Lewis said that Freedom Hosting II hosted a fifth of all Dark Web URLs.
FBI dismantled first Freedom Hosting for the same reasons
The first and original Freedom Hosting was also hacked and DDoSed by Anonymous in 2011, as part of Operation Darknet, for the same reasons of hosting child pornography portals.
In 2013, the FBI used a misconfiguration in the Tor Browser setup to identify visitors to these sites. The FB later took down the service and arrested its employees. At that time, the first Freedom Hosting hosted around half of all Dark Web URLs.