| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> rogue SYS connections
Solaris 2.8 Oracle 8.1.7.0. We have session auditing enabled, and see rogue connections as SYS from several remote databases. The os_user of the remote system is always oracle and there are several different remote hosts involved.
I can't figure out how they are gaining access this way. Our SYS password is set to a random string, not the default, and we change it frequently. There are no corresponding telnet sessions indicating access is local from our server, and we also change our oracle password frequently.
I know the listener has vulnerabilities and we should apply those patches, but want to be sure we don't have an obvious configuration problem that is allowing these connections. Any ideas?
Here is a snippet from the audit trail:
DEC-09-03 15:13:10 SYS UNKNOWN 101Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.0.19 2.236)(PORT=63519))
USERNAME OS_USERNAME ACTION TERMINAL TIMESTAMP RETURNCODE
-------- ------------ ------ -------------- ------------------ ---------- SYS oracle LOGOFF UNKNOWN DEC-09-03 15:13:10 0
Thanks,
Suzy
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Vordos, Suzy
INET: Suzy.Vordos_at_qwest.com
Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services ---------------------------------------------------------------------To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Wed Dec 10 2003 - 14:09:33 CST
 |
 |