Cyber Incident Victim: Deep Hosting
Date:
Jul 2017
Location:
United States of America
Summary
A dark web hosting service experienced a security breach when an attacker registered a shared hosting account and exploited an unblocked PHP function to execute limited commands, compromising server access. The intrusion led to data exfiltration from multiple hosted sites, including potential database leaks, and prompted a response involving server lockdown, forensic analysis, vulnerability patching, and forced password resets for all user accounts. The attacker claimed access to 91 dark web platforms—such as illicit marketplaces and forums—many of which became inaccessible post-incident, while an unrelated VPS breach using default credentials also caused accidental disruption to a specific marketplace's operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 8, 2017, an individual using the alias Dhostpwned compromised Deep Hosting, a dark web hosting service, by registering a shared hosting account and uploading two malicious shells—one written in PHP and another in Perl. The Perl shell failed to execute, but the PHP shell exploited an unblocked function on shared servers, enabling limited command execution under restricted privileges. The attacker gained access to the server infrastructure, though Deep Hosting’s security measures prevented broader system control. The breach remained undetected until July 9 at 10:00 am, when Deep Hosting’s experts identified unauthorized activity, including evidence of exported and deleted files. Within five minutes, the hosting provider placed affected servers in read-only mode to prevent further tampering. By 10:06 am, forensic analysis of the files began, leading to the identification of the attack vector at 1:00 pm—specifically, the unpatched PHP function that allowed command execution. Deep Hosting immediately partitioned sites and disabled the vulnerable function. At 2:30 pm, the organization reset all FTP and SQL passwords for user accounts and restored full read/write server functionality, concluding containment efforts approximately 24 hours after the initial intrusion.
The incident resulted in the confirmed exfiltration of an unspecified number of hosted sites, with databases potentially compromised. Dhostpwned published a list of 91 affected dark web services, including drug marketplaces, malware distribution platforms, hacking forums, and carding shops, many of which became inaccessible following mandatory password resets. While the attacker claimed to have accessed databases and files, he asserted no intent to publicly release the data. During the breach, Dhostpwned inadvertently crashed the M.N.G Market—a dark web marketplace—by overwriting its Master Boot Record (MBR), an action facilitated by the market’s use of a default password on its VPS server. This incident echoed prior compromises of dark web hosting providers, notably Freedom Hosting’s breaches in 2011 and 2016, which also stemmed from fundamental security oversights. Deep Hosting’s public disclosure emphasized the theft of site data but did not quantify the number of impacted users or detail specific post-incident forensic findings beyond the technical remediation steps taken.