Freedom Hosting II Hacked: 10,613 .onion Sites are Down
A fifth of the Dark Web is down
The Anonymous hacktivist group hacked the popular Dark Web hosting provider Freedom Hosting II. Roughly 10,613 .onion sites leveraging on the service have taken down.
After the closure of the first Freedom Hosting, Freedom Hosting II (FHII) become one of the largest onion web hosting providers; it offers free space to any user who signs up for an account.
Should you pay the ransom?
FHII hosts every kind of illegal content and services, including bitcoin scams, black markets offering hacking tools, malware, counterfeit documents and many other illegal products.
Members of the collective Anonymous hacked Freedom Hosting II because it is hosting a large number of websites sharing child pornography images.
Law enforcement is aware that many websites hosted on the dark web are facilitators and aggregators of communities of pedophiles and hosting providers have to monitor the content of the websites they support carefully.
The news of the massive cyber-attacks was first reported by the privacy researcher Sarah Jamie Lewis. Sara is a privacy researcher at mascherari.press, and periodically analyzes the hidden services deployed in the anonymized network. Sarah and her team noticed the mass defacement during a regular scan of the Tor network.
Figure 1 - Sarah Jamie Lewis reported the Freedom Hosting II hack
Since OnionScan started in April, Sarah Jamie Lewis and her team have observed FHII hosting between 1500 and 2000 services or about 15-20% of the total number of active sites in our scanning lists (data related to the last report published in October).
Below some categories of hidden services hosted by Freedom Hosting II:
- Several Personal Blogs and Websites.
- Over 100 Double/Triple/100x/Ponzi Bitcoin Scams - in fact, as far as we can tell, nearly every single one of these sites is hosted by FHII.
- Over 1000 Carding and Counterfeit Sites.
- Multiple Bitcoin Escrow and Wallet sites.
- A handful of Forums relating to Hacking and other topics.
- At least 600 "Site Hosted by Freedom Hosting II" default instances.
Now as result of the attack against the popular dark web hosting provider, 10,613 .onion sites have taken down, all sites have been defaced with the following image. As you can see, the Anonymous message also includes a list of hacked websites.
Figure 2 - List of hacked websites hosted on FHII (Source Bleepingcomputer.com)
Below the message published by Anonymous
"Hello Freedom Hosting II, you have been hacked
We are disappointed... This is an excerpt from your front page 'We have a zero tolerance policy to child pornography.' - but what we found while searching through your server is more than 50% child porn...
Moreover you host many scam sites, some of which are evidently run by yourself to cover hosting expenses.
All your files have been copied and your database has been dumped. (74GB of files and 2.3GB of database)
Up to January 31st you were hosting 10613 sites. Private keys are included in the dump. Show full list
We are Anonymous. We do not forgive. We do not forget. You should have expected us.
Thanks for your patience, you don't have to buy data ;) we made a torrent of the database dump download here
Here another torrernt with all system files (excluding user data) download
You may still donate BTC to 14iCDyeCSp12AmhVfJGxtrzXDabFop4QtU and support us.
If you need to get in contact with us, our mail is firstname.lastname@example.org
We repeatedly get asked how we got into the system. It was surprisingly easy. Here is how we did it: HOW TO HACK FH2"
According to The Verge, the hackers first offered for sale the data dump data stolen from the hosting providers in exchange for 0.1 bitcoin (roughly $100).
The analysis of the wallet used by the attackers confirmed that they have received at least two payments, but evidently, they decided to release the stolen data dump via torrent files publicly.
Anonymous claims to have downloaded 74GB of files, but it released a 2.3 GB data dump.
Joseph Cox from Motherboard interviewed one of the Anonymous hackers involved in the attack who explained this was his first hack ever.
The hacker was mainly motivated by its intention to disrupt child pornography online, but the hack was not planned to take down all websites hosted on the Freedom Hosting II provider.
"On Saturday, the hacker claiming responsibility told me in more detail how and why they took down the service." wrote Cox.
"This is, in fact, my first hack ever," they said in an email sent from the same address posted to the hacked Freedom Hosting II sites. "I just had the right idea."
The hacker, who first compromised the service on January 30, told Vice that they found ten child pornography sites that had uploaded so much content that it accounted for nearly half of the total Freedom Hosting II files.
"Initially I didn't want to take down FH2, just look through it," the hacker explained to MotherBoard.
The attackers allegedly found several large child pornography websites which were using more than Freedom Hosting II's stated allowance. Freedom Hosting II has a quota of 256MB per website, users that want to host services with a larger content need to pay it, the pedo websites discovered by the hackers contained gigabytes of child pornography material, a circumstance that suggests their administrators have paid the Dark Web hosting provider.
"This suggests they paid for hosting and the admin knew of those sites. That's when I decided to take it down instead," the hacker said.
The hacker claims to have found at least 10 child pornography sites containing approximately 30GB of files.
The hacker confirmed the group had released a dump of the system files from Freedom Hosting II, but it doesn't include user data for obvious reasons. The attacker didn't want to publicly distribute user data because it allegedly contains a high amount of child pornography.
The hacker intends to pass the full archive to a security researcher that will act as a proxy for the law enforcement, a measure necessary to persecute the pedos.
The security expert Chris Monteiro who analyzed some of the dumped data confirmed that the archive includes .onion URLs hosting botnets, fraud sites, fetish websites hacked data, and of course child abuse websites.
Figure 3 - Illegal content included in the archive
A detailed analysis of the data dump leaked online confirms that the archive also contains private keys belonging to the dark websites hosted on Freedom Hosting II. The availability of these keys could allow attackers to clone websites and impersonate them under specific conditions.
Figure 4 - Private Keys stored in the data dump
Below is the step-by-step procedure followed by Anonymous to hack Freedom Hosting II.
- create a new site or login to an old one
- login and set sftp password
- login via sftp and create a symlink to /
- disable DirectoryIndex in .htaccess
- enable mod_autoindex in .htaccess
- disable php engine in .htaccess
- add text/plain type for .php files in .htaccess
- have fun browsing files
- find /home/fhosting
- look at the content of the index.php file in /home/fhosting/www/
- find configuration in /home/fhosting/www/_lbs/config.php
- copy paste database connection details to phpmyadmin login
- find active users with shell access in /etc/passwd
- look through the scripts and figure out how password resets work
- manually trigger a sftp password reset for the user 'user'
- connect via ssh
- run 'sudo -i'
- edit ssh config in /etc/ssh/sshd_config to allow root login
- run 'passwd' to set root password
- reconnect via ssh as root
Despite the noble motivations of the hacker, we have to consider that the attack may have a dramatic impact on a large number of ongoing investigations conducted by law enforcement worldwide.
International law enforcement bodies may have already infiltrated communities of criminals focused on child pornography, and they could also have compromised their services to de-anonymize the pedophiles. Clearly, the hack will force law enforcement agencies to change tactics now that child pornography sites shut down.
The good news is that data dump contains references to operators and users of these hidden services.
See Infosec IQ in action