ExploitHub, a site that offers code that takes advantage of software vulnerabilities for a small fee, has found itself hacked, with a large database of its marketable software made available for free in a site dump.
Initially, the site’s admins claimed that merely a message board discussion database had been ripped from the site, but now it’s been confirmed that more than that was taken. Those claiming responsibility – Inj3ct0r Team – have said that they managed to download nearly a quarter of a million dollars (£150,000) worth of code.
“We hacked exploithub.com because the people who publish private exploits on exploithub.com need know that the ExploitHub Admins are lamers and can not provide them with adequate security,” the team said in a posting. Inje3ct0r operates a rival exploit code site, 1337day.com.
While ExploitHub now appears to be down, TheRegister has a few choice quotes from the website owners:
“After our initial investigation we have determined that the web application server itself was compromised and access to the database on that server was available to the attacker. The server was compromised through an accessible install script that was left on the system rather than being removed after installation, which was an embarrassing oversight on our part.”
However, it suggested that what was taken, was not vital information.
“The exploit information provided in Inj3ct0r’s attack announcement text file and SQL dump consists of exploit names, prices, the dates they were submitted to the market, the Authors’ IDs, and the Authors’ usernames, all of which is publicly available information retrievable from the web application’s normal browse and search functions; this is not private information and it was already publicly accessible by simply searching the product catalog through the website.”
Ultimately the organisation said, that nothing of real value was stolen, just names and dates. This places its statement at odds with the Inj3ct0r claim of stealing far more than that.
KitGuru Says: While both groups offer morally and legally questionable services, both sites make big claims of adhering to laws and rules. Which makes it all the more interesting that Inj3ct0r was willing to announce its theft.