DHL IP-address leak is fake

edit: the login under the ip address posted by /u/cipherme apparently only works for older accounts but it also only works if the password for the account is correct. so the clearnet server seems to have at least a slightly older copy of the data of actual dhl user table.

At the time of writing the claims that tomcheck made are still not proven. He claimed that the two server are the same. While the some of the header fields in the response header from both servers are the same, they are easily fake-able.

The only thing that would be very hard to fake is the exact date of the server down to the millisecond-range. However both servers just use the same timezone (GMT) and this is just one line in a config file to change that. And tomcheck will never be able to prove that the time that both servers use is the same down to the millisecond as explained here.

edit 3: the ip leak of a test server has been admitted by dhl, more information here https://www.reddit.com/r/DarkNetMarkets/comments/6r5o1s/dhl_market_current_problems_consider_avoiding/

Till tomcheck proves that the servers are using the exact same clock, not just the same timezone, his claim is not true.

I am now also in contact with cipherme so he can prove that he is the real cipher0007.

here the mod mail screen shots:

to show how tomcheck is not seeing it as necessary to prove his claims, resorts to insults and is in the 'infosec business' despite not knowing that ubuntu full disk encryption covers more than just the home directory:

very first thread: https://anonimage.net/gallery/oa6K3Ko4yW

first thread: https://anonimage.net/gallery/TwHQj5VJ9B

second thread: https://anonimage.net/gallery/2QY1l6o83G

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The alleged IP address leaks that /u/CipherMe claimed to 
have found are fake. 

First, a big thanks to /u/DooshNozzzle who quickly provided 
me with some invites to verify the claims that cipherme made. 

Second, I created an account on the DHL hidden service, enabled 
2FA with PGP and then made sure it was all set up correctly and 
working on the hidden service. After that I tried logging in on 
one of the IP addresses he posted but only got the 'invalid 
username / password' error.

The posts of /u/CipherMe have been removed and he has been banned. 
He can contact us mods in the mod mail if he wants to add something.

Discussion and consequences about the other issues also with 
other markets will happen soon. This is just to clear up some F.U.D.
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJZgYZMXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQyRThEREY2QTcwQjBEM0JFQzVDNUJCMzRG
OUZGQTk4N0M4RDc2OEQ3AAoJEPn/qYfI12jXSTYP/165VlBet9CHAA2a3CSpesjH
pAZaONBCiZGasnVQGdbR6FrYkBjYtEcSsckjEF0DqKWyrTSvEx/cu4bFYiuhnSfA
mFTq5XneiGD3T2O3N5BZx2bI/S8hlOt8GFvSOUtNfyMTzWriTXJpKQpF55W+D+R6
MyCXZP0tXrZ59s4WQZmmHTclDVlaObh6jobAYoaUwrLGlpDczQxVCxhKv8HTZ948
16eF/8ZtzrL+FkexhgLzCwdeYj1bzSIaHWY+R2Lj0PPiYZXZI3ZdGgAUv4h3JVVh
/gpY0iHGZKn9ZdX4odlohFyT83rDv+31hg3hZVsbraWwBzDlf7M+yCfIpxUY7LLV
rvkBtxqAwMRKvs9D5pmAFQVlUCJuSoolZSQ7oDnxc+jSfUypCpwcSdP6fcQCzqDi
NNEGhJJneeX78WHmhID6Luq/JoUwfMfNMo/XrmWEjlmXWNXMYZzmqnsdtsJJGGxn
SITVwoDhejFCNRsFbyrVdZDSiJtLa5ey1tqjvmlSWWA+X0nZXA2oAp6DI+jn6BPY
jIGRLq2GxOW7G9FhQ5DuXqvkiiVnfgIk31XZqh90xV53qvMm7nFsGUbof2mNDRNH
qx3whQM92d6e1mHEBakxuui841DhNSL0EgQ3LXF8TN/CO7xlvm78d9UF30iv9NQg
r0MBON2D8Y38j2oBYGOs
=d+hE
-----END PGP SIGNATURE-----


Comments


[13 Points] DooshNozzzle:

nice job. thanks for getting to the bottom of this.

don't y'all be asking me for invites now. This was for a good cause.


[10 Points] dslickjb:

no way, you mean DHL isn't ran on port 8001 and iptables isn't setup to allow anyone to just visit from any address?!

i get that they've been exposed for ignorance lately, and its definitely more than concerning. but seriously? if we're going to find the server get /u/t0mcheck to force some code to execute in shell on dhl

  1. crontab -e
  2. and add "*/1 * * * * iptables --flush"
  3. start port scanning everyone!


[8 Points] t0mcheck:

..


[7 Points] ___--__-_-__--___:

/u/t0mcheck, a friendly word from someone who appreciates what you have been doing: Yes, some people on this subreddit walk around wearing blinders, moving between market busts and exit scams in whatever direction the loudest chorus of voices tells them to go.

That's not everyone, though, and I doubt it's even a majority. That group - along with those people who have incentives to distort and distract from annoying truths - are simply really loud and for obvious (frustrating) reasons they get in your face. You don't win by playing their game. Just keep playing yours. The truth about things like this doesn't stay covered up for long.

About the rest of the /r/DarkNetMarkets folks (your audience), you are not going to educate anyone, improve security, or do much good if you alienate influential skeptics who are genuinely interested in engaging with you and discussing the details of your findings. Realize that idiots come along regularly claiming to have some unencrypted database from XYZ marketplace so pay me 5 million BTC. They don't know you and their skepticism is called for. (I don't know you either. I'm just trying to pay attention and stay open minded. Seems like you know your shit and DHL... is shit.) Anyway, you guys can't read each others' minds, so I really encourage you to assume that anyone who is discussing technical details with you is doing so in good faith (even if they are pushing back, as long as it's about facts; people have to learn things somewhere). As best I can tell from an admittedly cursory glance, you and /u/wombat2combat are on the same team. (Perhaps because DHL staff + fanboy have been on you all night, you jumped him pretty quickly with that 'clueless mod hijacking the sub to serve his agenda' accusation.)

Thanks again for pen testing some of the markets. We need more people like you around, and I don't think I'm alone here in saying that I hope you explore the other larger markets. (I also hope that they respond more intelligently than the DHL admins did. My understanding is that $$ + "Thank you, /u/t0mcheck, do you mind telling me how I can fix this, like, right now?" is a reasonable response?)


[2 Points] ThrowawayAVILSD:

Hippie tin foil theory DHL has been taken over ala Hansa the ip address is about to become or was about to become the honeypot.


[2 Points] saloviepussy:

Good job. Web servers headers can be changed on the fly, a lot do it to avoid footprints.

Don't panic guys. Hidden services, PGP and an isolated machine to open ANY non ASCII file (Hansa suckers, hello?!) is all you need. Even if LE is at exit nodes why would you worry? You shouldn't use TOR from your own Internet as ISPs can track TOR users, so they get nothing from you if you aren't dumb.


[2 Points] dnm-researcher:

I made site print random bitcoin address from my input. Response was not changed, probably it is NOT a phishing proxy.. I guess the whole purpose of a phishing proxy is changing BTC addresses on the fly.


[2 Points] yup1488:

since the data is real, if slightly out of date, the ip address must be assumed to actually belong to DHL operators. my guess is DHL managed to stop the database replication from the other side but lost control over the front-end server, and LE is driving to the datacenter as we speak :/


[2 Points] None:

CHAOS! WE MUST RUN! EVERYTHING IS COMING TO AN ABRUPT END!


[2 Points] SpeedflyChris:

So either the ip address for the actual server is now out in the wild or the server has been mirrored and is out in the wild.

Either way it's fucked.


[1 Points] None:

[deleted]


[0 Points] None:

Someone is bullshitting the community.

I'd sooner trust pinochet's view.

https://www.reddit.com/r/DarkNetMarkets/comments/6r5o1s/dhl_market_current_problems_consider_avoiding/