RE: Oracle rootkit

• From: "Reidy, Ron" <Ron.Reidy@xxxxxxxxxxxxxxxxxx>
• To: <holland@xxxxxxxxxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
• Date: Fri, 27 Jan 2006 09:07:18 -0700

My point was in reference to the earlier posting about Oracle providing
solutions.  As Alex points out, this patch is incomplete because it does
not test for hidden users.  What is really needed is a password checker
or cracker.  But even that may not be enough, given the vulnerabilities
described in Josh Wright's paper
http://www.sans.org/rr/special/index.php?id=oracle_pass.

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Rich Holland
Sent: Thursday, January 26, 2006 6:48 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: RE: Oracle rootkit


Ron Reidy wrote:

> [...] check out the password checking tool (patch
> 4926128) and see what Alex Kornburst has to say about it at 
> http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html
> .

I went one better years ago (1999?  2000?).  We maintained a central
TNSNAMES.ORA file for all the databases we managed.  I'd parse that and
make SQL*Net connections to every database and try to log in with know
accounts (e.g. system/manager, sap/sapr3, etc.) and if successful
emailed both the Oracle DBA's and our help desk system to create a
security ticket.... that way if someone set up a new database and forgot
to change one of the known defaults, we'd catch it that same day.

Rich Holland
Principal Consultant
Guidance Technologies, Inc. 
Cell: 913-645-1950

--
//www.freelists.org/webpage/oracle-l



This electronic message transmission is a PRIVATE communication which contains
information which may be confidential or privileged. The information is 
intended 
to be for the use of the individual or entity named above. If you are not the 
intended recipient, please be aware that any disclosure, copying, distribution 
or use of the contents of this information is prohibited. Please notify the
sender  of the delivery error by replying to this message, or notify us by
telephone (877-633-2436, ext. 0), and then delete it from your system.

--
//www.freelists.org/webpage/oracle-l

Other related posts:

• » Oracle rootkit
• » Re: Oracle rootkit
• » Re: Oracle rootkit
• » RE: Oracle rootkit
• » Re: Oracle rootkit
• » RE: Oracle rootkit
• » Re: Oracle rootkit
• » Re: Oracle rootkit
• » Re: Oracle rootkit
• » RE: Oracle rootkit
• » Re: Oracle rootkit
• » RE: Oracle rootkit
• » RE: Oracle rootkit
• » RE: Oracle rootkit

1. Home
2. oracle-l
3. Archive
4. 01-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---