Mamba Market [/r/MambaMarket] shelled + rooted.

Evening all. I'll be keeping this post short & sweet as I can't be bothered with a long, tedious writeup here. Hopefully this post will be the end of these fools.
http://fvcza3k7uoakcxal.onion/uploads/InsanityDRM.php

Firstly, if you're not familiar with WhiteShadow Market, head over & read this post;
https://www.reddit.com/r/DarkNetMarkets/comments/7ekvlc/avoid_white_shadow_market_at_all_costs/

Today I figured I'd take a look at /r/MambaMarket as someone brought it to my attention a week or so back. I had a hunch after having an initial peek that the /r/WSMarketplace admins were behind it.

Well, now I can confirm those suspicions. I won't delve into massive detail here but the end result can be summarised with these images below;

https://linx.li/ib8yvoih.png (Didn't even rename the database, lol)
https://linx.li/98y78ih9.png (Forum on the same server, lol)
https://linx.li/bui7v86.png

This is security at it's worst, it looks like the owner of the market may be running this from his home PC. He's running Whonix in a VM. He has a bunch of interesting stuff on his desktop, including but certainly not limited to the Mambas unencrypted private key & his personal BTC/LTC wallets with his unencrypted private keys. The bash history of the box is hilarious & is mostly the admin running 'bitcoin-cli getbalance' to see if any more unsuspecting users have deposited into his market. Fun fact, there was hardly any BTC in the market wallets regardless of some users have balances in the hundreds in the SQL user database, the greedy admin has already withdrawn most of the market funds so even if users wanted to withdraw, they can't. They also take 1% more commission than they actually claim to do.

Oh and before I head off, when I backconnected to the server to obtain root, the login was the default root:changeme. Solid security practices you have there admin...

Also, lol; https://www.reddit.com/r/DarkNetMarkets/comments/82am6t/olympus_market_is_a_joke/dva7xl3/

Nothing like famous last words I guess.

@ /u/SnakeFireMamba You ain't real like dat


Comments


[21 Points] fuckyourplugdnm:

Lol the best part "they also take 1 percent more commission then they claim"

Sneaky scum


[22 Points] savingfluffybunnies:

This market tried to apply to the superlist but was too retarded to figure anything out so I told them to message us in 30 days and try again. Good thing I guess, it appears nature has taken its rightful course & claimed another market.


[13 Points] _PrinterPam_:

the login was the default root:changeme.

Forget the rest. That one slayed me. Another wannabe web superstar with little-to-no knowledge of Linux administration. Secure your privileged accounts and filesystems, folks. If he was running it at home, he could have flat-out disabled SSH. Or at the very least disable password logins and switch to RSA auth. Neither would take more than 3 minutes to implement.

Of course that wouldn't do any good if you gain access to the shell via other means and the guy didn't change the passwords & shore-up the filesystem. From the sound of it you only SSH'd after-the-fact, correct? Web exploit?


[7 Points] DNrick_sanchez:

Gods work man people like you make this community great plus1+

EDIT: have you ever tested against dream i assume they are above par no?


[2 Points] givemetheterps420:

Popcorn.jpg


[1 Points] positive-change:

Another one bites the dust. Thanks, InsanityDRM


[2 Points] AutoModerator:

/u/SnakeFire - You have been summoned in this thread by /u/InsanityDRM.

This convenience is brought to you by AutoMod. Submissions do not automatically summon users like comments do. AutoMod is trying to be helpful.

For others, it should no longer be necessary to summon the referenced user in a comment any more. AutoMod has done the heavy lifting for you. You're welcome. Bow before me.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.


[2 Points] DarkNetSoftwareEng:

Good detective work Lou.


[2 Points] None:

Looks like they're using stolen Reddit accounts to post fake reviews too.

https://redd.it/81wyyz

Last real posts from 6 months ago then the account goes silent and pops up shilling for Mamba a couple day ago. Language went from decent english to broken english.


[1 Points] Checkyostats123:

::drops mic::


[1 Points] Kritone:

you so smart, fuck me hard plz


[1 Points] cabackdoormedical:

Thanks for the work /u/InsanityDRM. Does this mean Wall St Market is fucked too?


[1 Points] Kritone:

mind to give me the source code of the market? i want run my own market me and my friend /u/pedroelcabaloloco will run a market and host on his raspberry pi and if feds knock the door we will just put it in microwave.


[1 Points] n0dseen:

This is really sick. I've had the thought of setting up a DNM before, seems pretty simple. The fact that people like this out there are seriously attempting to run DNMs... Well as /u/savingfluffybunnies said, it appears nature has taken it's course.

So the guy really had BTC deposits in the hundreds? Pretty fucking wild. Sounds like we should create our own.


[-1 Points] bubmle11:

Well done!!! i hate you anyways!1!


[-2 Points] None:

[deleted]


[-4 Points] None:

[removed]


[-4 Points] Kaussaq:

I think this kinda thing needs to be on /r/DNSTARS @ /u/DNSTARS

Edit: never mind it already is


[-13 Points] None:

[removed]