RE: Oracle rootkit

• From: "MacGregor, Ian A." <ian@xxxxxxxxxxxxxxxxx>
• To: <jkstill@xxxxxxxxx>, <oracledba.williams@xxxxxxxxx>
• Date: Wed, 25 Jan 2006 11:21:41 -0800

Starting with Oracle 10G you need to be a member of the dba group to shutdown 
the listener.  Adding a password means members outside the group can shutdown 
the listener if they know the password.

On a related topic, Oracle sometimes decides to startua second listener on the 
same port; there by causing denial of service.  Under Oracle 9i and before the 
password only provided protection against shutting down the listener, not 
starting it up. 

Ian MacGregor
Stanford Linear Acclerator Center
ian@xxxxxxxxxxxxxxxxx 

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jared Still
Sent: Wednesday, January 25, 2006 6:55 AM
To: oracledba.williams@xxxxxxxxx
Cc: oracle-l
Subject: Re: Oracle rootkit

It's time to get serious about security, if you're not already.

Put passwords on listeners, etc.

It would also be a good idea to track changes to the data dictionary.

Our databases have a baseline run once a month that tracks 
DDL dates, new/missing objects and checksums on stored code,
including views.

A report is spit out show differences between the baseline(could
be any previous run) and the current one.

That will help detect root kits.  

The problem with that is if something is modified, and then changed
back to its original state between data collection runs.  

The change date can be detected, but not how it was changed.

Then again, a savvy root kit would put all the dates back. 

Oracle may need to start supporting auditing on the DD objects.

Jared



On 1/25/06, Dennis Williams < oracledba.williams@xxxxxxxxx 
<mailto:oracledba.williams@xxxxxxxxx> > wrote:

        List,
        
        Here is a significant media article that I haven't seen posted here. 
        It describes a nightmarish future of Oracle security problems. But
        then maybe I was napping. Hey maybe this article is a hallucination.
        
        http://www.eweek.com/article2/0,1895,1914465,00.asp 
        
        Dennis Williams
        --
        http://www.freelists.org/webpage/oracle-l
        
        
        




-- 
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist 

--
http://www.freelists.org/webpage/oracle-l

• Follow-Ups:
  • Re: Oracle rootkit
    • From: Glenn Santa Cruz
  • Re: Oracle rootkit
    • From: Jared Still

Other related posts:

• » Oracle rootkit
• » Re: Oracle rootkit
• » Re: Oracle rootkit
• » RE: Oracle rootkit
• » Re: Oracle rootkit
• » RE: Oracle rootkit
• » Re: Oracle rootkit
• » Re: Oracle rootkit
• » Re: Oracle rootkit
• » RE: Oracle rootkit
• » Re: Oracle rootkit
• » RE: Oracle rootkit
• » RE: Oracle rootkit
• » RE: Oracle rootkit

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription