Hello, It's bad news. I'm looking at oracle.com to see if there is a patch available, but no lucky until the moment. If anyone knows of a patch please let me know. Thank you. On Thu, Apr 8, 2010 at 5:11 AM, Zed Qyves <zqyves.spamtrap@xxxxxxxxx> wrote: > Hello, > > From what I saw about the ora-userenum.exe: > 1) it is part of the Oracle Assessment Kit collection of tools for auditing > oracle databases > 2) it does not need credentials to connect to the db, hence the removal of > select from all_users regarding public didn't do you any good > 3) it is run as ora-userenum <host> <port> <sid> <userlistfile>. the last > param is a file containing a list of users to check for their existence. > Going through the source it is apparent that it initiates a login sequence > to the db with each of those users and depending on some tns packet > properties it receives back from the database server it deduces whether it > is a valid username or not. > > You can have a copy of OAK (including source code) from > http://www.databasesecurity.com/dbsec/OAK.zip. > > Basically there is nothing you can do about it at the db level other than > to make sure that you don't give your users usernames that exist in this > file :) . > > Best regards, > > ./ZQ > >