13 comments

[ 3.7 ms ] story [ 28.0 ms ] thread
http://iobm.net/forum/dos/index.php/topic,17.msg113.html#msg...

This is evidently some of the code that was leaked. It's some pretty ugly PHP.

that is some pretty hideous code, but which part of it potentially reveals the identity of backopy? or was it a part in the full source that was apparently given away by the VPS provider?
Well, the way the SQL code in that file is ripe for SQL injection, it's possible that the database has been compromised for a while...
Just the implication that a big chunk of the site is in index.php kind of tipped me off that it might be ugly. A little bit of modularization might have helped contain the damage from the screwed up server settings, if nothing else.
Silk Road was using PHP also. I tried some SQL injections in its earlier days (mid-2011), and got back full error reports including the mySQL commands (I never successfully exploited it because I wasn't able to get a closing parenthesis ")" past the sanitizer). They changed the server config shortly afterwards, and stopped printing the debug messages.
When I read the headline my first thought was that NSA must have cracked tor and the this was just a cover story they put out, but seeing as it was the owner the site himself shuttering the market before he gets caught for what he himself admits was a amateur mistake I am not so worried as I was.
What happened, according to the leaker, was he/she went to the site, and index.php started downloading... So it would have to be a web-server (Apache, Nginx) mis-configuration that removed the php-handler from the file-type.

http://iobm.net/forum/dos/index.php/topic,17.0.html

> It was not our aim to bring BMR down, we just published the leak because if we had it, enforcement and private hackers could have it as well, trouble could arise if the leakage would have been exploited without people to know.

> Besides, we want to make clear that we have no contact to anyone of the involved parties, neither backopy nor VPS admin.

> When we tried to access the site, it offered us the index.php for DOWNLOAD. So we downloaded it as we assumed we were not the only one to be able to download it.

> For any reason the file was not executable anymore by the VPS and thus offered for download! Whether ot not this happened intentionally or was a simple but severe mistake, is outside our knowledge.

> We just think that such mistakes must not happen as they can endanger the users and we think they must be published and not exploited.

yeah, sounds more likely, otherwise someone needs to name names of the VPS provider. i'm very skeptical that a VPS provider actually started snooping.
Seems a few comments here are pointing to the VPS provider being the ones who might have leaked the source code. I don't think that was the concern, but hopefully somebody more in the know can elaborate.

From what I understand, once a portion of the source code was in the open, a match could be made (not easily like a google search) to that server's index.php page, pointing to exactly which server is running the code, and can then be back traced to who the account was registered under.

What I don't understand (and I've never used any of these sites) is how do they have a DNS registration and ip look-up without that being connected to an individual. I know you can make your DNS details private, but I would have assumed that was only 'private' from public view and that most of the DNS companies would have cooperated with law enforcement.

Unlike general snooping, I think I'd be fine with Law Enforcement getting a warrant to find who registered a particular domain, and back trace from there. They would still need to make a case of illegal activity, so should this be protected information?

.onion sites are not part of the DNS but are resolved by a DNS equivalent based on public/private key encryption and directory servers thus revealing neither IP# nor hoster.
Uhm, concatenating user controlled content into SQL queries? Do black marketeers today learn nothing at code school?

It is a good thing he took the site down promptly, else it would have been exploited in no time.