The Inj3ct0r team who provide ultimate database of exploits and vulnerabilities and a great resource for vulnerability researchers , has hacked into the ExploitHub.com(competitor of 1337day).
In an email sent to EHN, the team claimed that they have stolen private exploits worth around $242333.
"Today (December 11th), the Inj3ct0r Team has hacked http://exploithub.com and we like to add a small line here ' This is for Educational Purpose Only' " The Team.
They also have leaked some data compromised from the server which includes the list of column names and details about the private exploits.
"I am very much surprised when he learned of Magento eCommerce Software and search /install/The team also provided us the screenshot of the PHPinfo of the site.
1) We scan server and site
2) We reinstall Magento CMS https://www.exploithub.com/install/ <= We reinstall Magento CMS
3) Upload shell and phpinfo https://www.exploithub.com/phpinfo.php
4) Back all files and database.
5) Upload piece of the database https://www.exploithub.com/export/
6) Increased privileges "
The details can be found here:
http://priv8.1337day.com/
At the time of writing, the website (ExploitHub.com) is down. It seems like administrators take down the site for patching the vulnerability.
*Update* Exploit Hub has released official statement regarding the "Inj3ct0r attack" in their official facebook page.
"After our initial investigation we have determined that the web application server itself was compromised and access to the database on that server was available to the attacker. The server was compromised through an accessible install script that was left on the system rather than being removed after installation, which was an embarrassing oversight on our part. The statement reads.
The database on that server however only contains information used by the web application itself as well as product information such as exploit name, price, and Author, but does not contain any actual product data such as exploit code. The product data is stored elsewhere and there is currently no evidence that the storage location was accessed by any unauthorized party or that any of the exploit code or other product data has been compromised or stolen as has been claimed, however our investigation is ongoing.
The exploit information provided in Inj3ct0r's attack announcement text file and SQL dump consists of exploit names, prices, the dates they were submitted to the market, the Authors' IDs, and the Authors' usernames, all of which is publicly available information retrievable from the web application's normal browse and search functions; this is not private information and it was already publicly accessible by simply searching the product catalog through the website."
