Another Two Bites The Dust (Black Goblin Marketplace & CannabisRoad)
Posted by: DeepDotWeb
February 9, 2014
The Sad (yet, funny) story of the latest 2 marketplaces who went down as described by Gwern on Reddit, present a prime addition to the marketplaces wall of shame and a perfect example for the incompetence of some of the new bread of marketplace developers that have nothing in front of them but pure greed, we just pasted the original reddit posts with the screenshots as their tombstones:
Only two things are infinite, the universe and human stupidity, and I’m not sure about the former -Albert Einstein
While I’m doing obits… So you may also have noticed that a recently-launched black-market named Black Goblin Market has been down for the past 3-4 days after its launch 5 days ago.
Goblin was not so much hacked as de-anonymized. You can see some information on its IP in the comments: http://www.reddit.com/r/DarkNetMarkets/comments/1wwjg3/black_goblin_market_is_now_open/cf64uhk
Naturally, for any black-market, being de-anonymized is about as bad as being hacked, since it means that any future law enforcement investigation knows exactly where to start: subpoena the host or ISP to get everything they know, like what’s on the server, what IPs connect to it, who was paying for it, etc. And this means such a market can never get very big or last very long.
So while he left the landing page up for a day, he seems to have called it quits for good.
I’m afraid I have to claim credit for this one: about 3 hours after the Reddit post was submitted, I signed up for an account on BGM, gave it my real e-mail address when its signup form asked (I am aboveboard about the mirroring stuff and have nothing to hide), and a little while later, noticed in my inbox an email from… Black Goblin Market.
A little background here: Tor exit nodes generally forbid email because allowing email would result in a tsunami of spammers. If you ever read the Tor documentation (or read your /etc/tor/torrc and noticed the discussion of blocking ports) about exit policies, you’d know that SMTP/email/port-25 is blocked by default; as the Tor Abuse FAQ explains in “What about spammers?”:
First of all, the default Tor exit policy rejects all outgoing port 25 (SMTP) traffic. So sending spam mail through Tor isn’t going to work by default. It’s possible that some relay operators will enable port 25 on their particular exit node, in which case that computer will allow outgoing mails; but that individual could just set up an open mail relay too, independent of Tor. In short, Tor isn’t useful for spamming, because nearly all Tor relays refuse to deliver the mail.
So it is unusual, to say the least, to ever get email from a hidden service. How did BGM pull it off‽, I instantly wondered. I opened up my email and looked at its headers (‘Show Original’ in the dropdown menu in Gmail, if you don’t know what I’m talking about):
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
...
Received: from ua4aptglh45m5p6b.onion (p549469F8.dip0.t-ipconnect.de [84.148.105.248])
by mx-fwd-1.nearlyfreespeech.net (Postfix) with ESMTP
for <gwern@gwern.net>; Mon, 3 Feb 2014 19:28:16 +0000 (UTC)
Received: by ua4aptglh45m5p6b.onion (Postfix, from userid 33)
id 8A3BD2180319; Mon, 3 Feb 2014 20:28:10 +0100 (CET)
To: gwern@gwern.net
Subject: Account details for 1391455689 at Black Goblin
X-PHP-Originating-Script: 1001:system.mail.inc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed; delsp=yes
Content-Transfer-Encoding: 8Bit
X-Mailer: Drupal
Sender: goblinking@noemail.com
From: goblinking@noemail.com
Message-Id: <20140203192810.8A3BD2180319@ua4aptglh45m5p6b.onion>
Date: Mon, 3 Feb 2014 20:28:10 +0100 (CET)
|
Answer: he didn’t. The email was sent straight from his server and the IP (84.148.105.248) was right there for anyone in the world to look at, and would have been for anyone who ever signed up with a working email (like, say, a Riseup or Safe-mail email address), and making the emails anonymous would be quite difficult (have to somehow proxy over HTTP to someone willing to do clearnet emails for you). The IP is easily checked against a master list of Tor exit nodes & found to not be an exit node.
Actually, the hilarious thing is that he may not have even realized his ‘hidden service’ was doing this: the X-Mailer is “Drupal” and the return address is “noemail.com”, and apparently this is some sort of Drupal default functionality. (Not an issue for most servers where it doesn’t matter if the IP is being leaked…)
I mentioned it to some other people, they did some nmap probing and a simple correlation attack by DoSing the IP to see if the hidden service goes down simultaneously, and that was that. Black Goblin was toast.
The self-signed HTTPS nonsense and all the well-meaning security advice and elaborate precautions aside, the site never stood a chance. Really, all these new black-markets are so incredibly bad – I’m not a web dev, much less a pen tester, and I managed to de-anonymize a market? (And there’s more in the offing…)
RIP Black Goblin Market (3-4 February 2014).
You may have noticed that since yesterday, CR has not been up and URLs like http://ji4wrifhsnawaw7t.onion/forum/index.php?action=profile;area=account have been spitting out error messages like “Connection Problems: Sorry, SMF was unable to connect to the database. This may be caused by the server being busy. Please try again later.”
This is because CR was insecure, not anonymous, and has been hacked, very similar to the recent Drugslist/Cantina/Black-Goblin/Utopia problems. Yesterday I was PMed my cleartext password and PIN for my CR account; the hacker had completely compromised CR and told me:
…the server is so insecure, it is riddled with sql injections. the smf was also leaking the server ip… not that it mattered, but 100% amateur. there was no real transactions but it was available and plain text.. could have rooted it im sure, if i cared. everything was plaintext
I believe his claims about the lack of password protection: my passwords are generated by Lastpass and generally at least 20 characters long, so bruteforcing a hash would be difficult. (You might think that every programmer in the world appreciates that passwords must be stored hashes, but CR proves that there is no level of incompetence a market cannot reach, although I’m not sure if that’s worse than Black Goblin’s problems.) This is an example of why you must avoid password reuse and must use different passwords on each market you might be active on – the owners could be shockingly incompetent and reveal your password to anyone in the world who can read the database.
He provided further notes and details from the CR server:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
SQLs
debian-sys-maint@localhost ( 46.244.10.113) site is up on clearnet, lulz
cannabdb
5.5.24-0ubuntu0.12.04.1
debian-sys-maint|*09F6CB5A0E18242AF79E2CB4918D4B3F89C39CE0
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false messagebus:x:103:106::/var/run/dbus:/bin/false whoopsie:x:104:107::/nonexistent:/bin/false landscape:x:105:110::/var/lib/landscape:/bin/false sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin manager:x:1000:1000:manager,,,:/home/manager:/bin/bash debian-tor:x:107:115::/var/lib/tor:/bin/bash ftp:x:108:116:ftp daemon,,,:/srv/ftp:/bin/false
nikunj:x:1001:1001::/var/www:/bin/sh
hi nikunj
/etc/hosts
127.0.0.1 localhost 46.244.10.113 savage.cyberbunker.com savage # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters
SMF leaking server IP from multiple places.
<head>
<link rel="stylesheet" type="text/css" href="http://46.244.10.113/forum/Themes/default/css/index.css?fin20" />
<script type="text/javascript" src="http://46.244.10.113/forum/Themes/default/scripts/script.js?fin20"></script>
<script type="text/javascript" src="http://46.244.10.113/forum/Themes/default/scripts/theme.js?fin20"></script>
<script type="text/javascript"><!-- // --><![CDATA[
var smf_theme_url = "http://46.244.10.113/forum/Themes/default";
var smf_default_theme_url = "http://46.244.10.113/forum/Themes/default";
var smf_images_url = "http://46.244.10.113/forum/Themes/default/images";
var smf_scripturl = "http://ji4wrifhsnawaw7t.onion/forum/index.php";
var smf_iso_case_folding = false;
var smf_charset = "ISO-8859-1";
var ajax_notification_text = "Loading...";
var ajax_notification_cancel_text = "Cancel";
// ]]></script>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
|
Sad and pathetic. The only good thing I can say about CR’s operator is that it seems he appreciates the gravity of his problems and have not tried to bluff or lie about them like some have.
RIP CannabisRoad (2-7 February 2014).
==========
Let these 2 be a reminder for future markets, both of them of course have been removed long ago from our list of hidden marketplaces, we will keep following and posting about marketplaces who pose a risk their users and owners.
</div>
Updated: 2014-02-09