Document Released Sat Oct 19 17:07:24 SGT 2002

On Thursday we became aware that someone had access to our Ops password file.

After some checking, we found a security hole on one of our servers where users could have gotten a secondary copy of the file. This was a server that had been upgraded 2 weeks earlier but had been improperly configured after the upgrade. None of our other servers were affected or had the security hole.

The problem was solved and since the suspect involved the file uploaded we logged our file uploads. By the next day we found two suspect files that had been uploaded. These were php scripts which were designed to find and read the copy of the password file on that server. The scripts can still be uploaded but PHP is disabled for that directory now and they can no longer get the new passwords.

Since the problem is solved we have run a password change for all Operators and issued the new passwords by email. The email is shown below.

Note that our account manager will be down a few days for reprogramming.

• Alamak Internet
• Alamak Development Office
• 2 International Business Park #01-26
• The Strategy
• Singapore S(609930)
• (65) 6 720 1804

The server didn't get actually hacked. What happened is we reinstalled our web servers about 2 weeks ago and I woah.alamak.com was not reconfigured correctly.

Two years ago when we first started using PHP I hacked the server using the freehome pages, as a test. This was proof enough that it could be done and so I disabled php scripts in user directories like freehome and the upload directory.

When I reinstalled I overlooked a second PHP enable statement global server configuration.

A user the uploaded a PHP script which was able to read a copy of our Operator Password File. This was not our master file but a copy of it. So even if he had used his PHP script to write over the file it would have been replaced by our other servers good copy automatically.

This is good news because it means he wasn't about to change your account info, unless he used your passwords and the account manager, which is temporarily disabled now.

I have proof that this was the method used. On Thursday I first became aware that someone had my passwords. I then checked the servers and found the PHP misconfiguration. I fixed this then added logging into the upload script.

The script recorded two files ending in .html uploaded on Friday, the next day. I even managed to grab the files out of the upload directory before the nightly flush. I have confirmed that these scripts did read the copy of our operator passwords file and this is how the passwords got out.

So the problem is solved, the hacker can not get your new passwords. I apologize for any inconvenience but we must change everyone's passwords.
The Email Sent to All Operators


The following email was sent to all Operators on 19, Oct, 2002 SGT.

Alamak Ops password has been hacked, we are doing a
force password change for all users.

Nickname       : nick
Login Password : new password
Perm Password  : new permanent password
Suspended      : suspend reason

These new passwords were randomly generated.

We apologize for any inconvenience but this password
change is necessary.

If your account was deopped or suspended during the
hacking please contact stingray, Remedy, Alachat, Leo,
Berry, Empusa, GR on server MY, Alamak on server SG,
or DNA on server SG to restore your account.

You have been assigned new passwords for your Alamak
Ops account. This is a forced password change because
our Ops password file got hacked.

This password file DOES NOT contain any CREDIT CARD
information, expiration dates, cardholders name, etc.
In fact our server doesn't have any credit card
information on it.

Account Manger is Disabled ( temporarily )

https://alamak.com.sg/cgi-bin/manage.cgi

Our account manager will be down for a few days
while we change our perm password system. This is
because the hacker could have your account particulars
and use this to get your new passwords with the account
manager.

We will be changing from a perm password system to
a Challenge Phrase and Challenge Password system
and remove the address verification system currently
used.

Once we setup the challege phrase system please use
the manager at that time to setup your challege
phrase and challege password. You will also be able
to reset your passwords at that time.

https://alamak.com.sg/cgi-bin/manage.cgi  ( in a few days )

How to Contact Alamak?

Please wait a few days, we are going to be swamped with
requesta and please use the account manager above as first
choice. As a last resort use the contact us. Do not send
email directly, our email box is flooded but we will check
the contact page requests in a few days.

If you need to contact us please use our contact page, do
not send email directly as this goes into another junk mailbox
and is just thrown away.

Use...

http://alamak.com.sg/contact.phtml

and let us know how we can help you. You can also call
the main office in Singapore 11am-6pm SGT Mon-Fri.

Note that in the USA or Canada this is the same as
11pm-6am EST or 8pm-3am PST.

  Alamak Internet
  Alamak Development Office
  2 International Business Park #01-26
  The Strategy
  Singapore  S(609930)
  (65) 6 720 1804

How did we get hacked?

The server didn't get actually hacked. What happened is
we reinstalled our web servers about 2 weeks ago and I
woah.alamak.com was not reconfigured correctly.

Two years ago when we first started using PHP I hacked
the server using the freehome pages, as a test. This
was proof enough that it could be done and so I disabled
php scripts in user directories like freehome and the
upload directory.

When I reinstalled I overlooked a second PHP enable statement
global server configuration.

A user the uploaded a PHP script which was able to read
a copy of our Operator Password File. This was not our
master file but a copy of it. So even if he had used his
PHP script to write over the file it would have been
replaced by our other servers good copy automatically.

This is good news because it means he wasn't about to
change your account info, unless he used your passwords
and the account manager, which is temporarily disabled
now.

Proof The Problem is Solved!

I have proof that this was the method used. On Thursday
I first became aware that someone had my passwords. I
then checked the servers and found the PHP misconfiguration.
I fixed this then added logging into the upload script.

The script recorded two files ending in .html uploaded on
Friday, the next day. I even managed to grab the files
out of the upload directory before the nightly flush.
I have confirmed that these scripts did read the copy
of our operator passwords file and this is how the
passwords got out.

So the problem is solved, the hacker can not get your
new passwords. I apologize for any inconvenience but
we must change everyone's passwords.

Password Protection

Note, it is a common ploy for hackers to pretend to
send email from Alamak saying you are accused of
account sharing and will be suspended unless you go
put your passwords on some form etc etc. We never do
that and don't fall for it. Below is more information
on how to protect your passwords.

We advise you to delete this from your email acccount,
computer as well as your Trash. If someone hacks your
email account or your PC with a Trojan and the passwords
are saved there then the hacker has your Alamak account
passwords.

Also, do not use these same passwords on any other sites.
Hackers frequently setup thier own fake login pages or
even a working chat site for the sole purpose of getting
Alamak Ops passwords. The admin of those sites just takes
your password from his site and tries on Alamak and hacks
your Alamak account. So use a different password on other
sites!!!

Finally, if someone sends you an email asking for your passwords
saying they will suspend your account if you don't respond
or offering you something for free etc etc, don't give it
out! We will never ask for your passwords by email or within
the chat.

Thanks again for your support and remember,
keep Alamak friendly!!!