

Another Security Blunder Takes Down Another Dark Web Drug Emporium - jtolj
http://www.slate.com/blogs/crime/2013/10/17/black_market_reloaded_silk_road_s_biggest_competitor_shuts_down_after_site.html

======
powertower
What happened, according to the leaker, was he/she went to the site, and
index.php started downloading... So it would have to be a web-server (Apache,
Nginx) mis-configuration that removed the php-handler from the file-type.

[http://iobm.net/forum/dos/index.php/topic,17.0.html](http://iobm.net/forum/dos/index.php/topic,17.0.html)

> It was not our aim to bring BMR down, we just published the leak because if
> we had it, enforcement and private hackers could have it as well, trouble
> could arise if the leakage would have been exploited without people to know.

> Besides, we want to make clear that we have no contact to anyone of the
> involved parties, neither backopy nor VPS admin.

> When we tried to access the site, it offered us the index.php for DOWNLOAD.
> So we downloaded it as we assumed we were not the only one to be able to
> download it.

> For any reason the file was not executable anymore by the VPS and thus
> offered for download! Whether ot not this happened intentionally or was a
> simple but severe mistake, is outside our knowledge.

> We just think that such mistakes must not happen as they can endanger the
> users and we think they must be published and not exploited.

~~~
leeoniya
yeah, sounds more likely, otherwise someone needs to name names of the VPS
provider. i'm very skeptical that a VPS provider actually started snooping.

------
pedalpete
Seems a few comments here are pointing to the VPS provider being the ones who
might have leaked the source code. I don't think that was the concern, but
hopefully somebody more in the know can elaborate.

From what I understand, once a portion of the source code was in the open, a
match could be made (not easily like a google search) to that server's
index.php page, pointing to exactly which server is running the code, and can
then be back traced to who the account was registered under.

What I don't understand (and I've never used any of these sites) is how do
they have a DNS registration and ip look-up without that being connected to an
individual. I know you can make your DNS details private, but I would have
assumed that was only 'private' from public view and that most of the DNS
companies would have cooperated with law enforcement.

Unlike general snooping, I think I'd be fine with Law Enforcement getting a
warrant to find who registered a particular domain, and back trace from there.
They would still need to make a case of illegal activity, so should this be
protected information?

~~~
Zidewinder
These sites don't participate in the DNS. They (theoretically, at least) keep
their IP addresses secret by sending and receiving traffic only through the
Tor onion routing network.

[http://en.wikipedia.org/wiki/Tor_(anonymity_network)#Hidden_...](http://en.wikipedia.org/wiki/Tor_\(anonymity_network\)#Hidden_services)

------
jtolj
[http://iobm.net/forum/dos/index.php/topic,17.msg113.html#msg...](http://iobm.net/forum/dos/index.php/topic,17.msg113.html#msg113)

This is evidently some of the code that was leaked. It's some pretty ugly PHP.

~~~
ThePinion
that is some pretty hideous code, but which part of it potentially reveals the
identity of backopy? or was it a part in the full source that was apparently
given away by the VPS provider?

~~~
abolibibelot
Well, the way the SQL code in that file is ripe for SQL injection, it's
possible that the database has been compromised for a while...

------
iSnow
Uhm, concatenating user controlled content into SQL queries? Do black
marketeers today learn nothing at code school?

It is a good thing he took the site down promptly, else it would have been
exploited in no time.

