Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Mailing Lists -> Oracle-L -> RE: eweek Oracle base breached using mdsys
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C0030A.83D28B86
Content-Type: text/plain;
charset="iso-8859-1"
I agree Dr. Kumanov, homework must be done. I was just pointing out that they had worked weeks on the setup (covered in other columns on the website) to make sure there were no holes and they let a default password stay. A check of the manual or a simple select on dba_users after the installations had completed would have shown them what they needed to change. Just goes to show when you let the sysadmins and developers and/or non-dba types do the database administrator work, you get databases that really need administration and lots of it... Anyway, this day is over. Have a happy Friday everyone.
--Chris
Chris.Bowes_at_Kosa.com
-----Original Message-----
From: Nikolay Kumanov [mailto:nkumanov_at_zgb.bg]
Sent: Thursday, August 10, 2000 2:26 PM
To: Multiple recipients of list ORACLE-L
Subject: RE: eweek Oracle base breached using mdsys
I have only WinNT installation guide handy, but in chapter 6, "Reviewing Your Installed Starter Database Contents" it is said "This section describes the user names and passwords included in the starter database. Change the password for user names immediately after installation". And MDSYS user is there. OK, this user isn't granted any roles, but it has all the privileges granted directly. The manual doesn't mention this, so there is a mistake, but still, homework must be done sometimes.
/flameproof_suit_on
Probably that shows that we must go for databases that have only a single
'SA' account, so that securing them will be easier :}}}}}
/flameproof_suit_off
Dr. Nikolay Kumanov
MIS Manager, Zeitungsgruppe Bulgarien GmbH 47, Tsarigradsko chaussee, Sofia 1504, Bulgaria phone: +(359-2)4339-643, fax: +(359-2)946-1286 mailto:nkumanov_at_zgb.bg <mailto:nkumanov_at_zgb.bg>
"Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse: Dune"
-----Original Message-----
From: Bowes, Chris [mailto:Chris.Bowes_at_kosa.com]
Sent: Thursday, August 10, 2000 7:19 PM
To: Multiple recipients of list ORACLE-L
Subject: eweek Oracle base breached using mdsys
Don't know if this was posted here or not. It was a hacker test setup. They "worked so hard" to secure the site and left a default password unchanged...
http://www.zdnet.com/eweek/stories/general/0,11011,2604981,00.html
<http://www.zdnet.com/eweek/stories/general/0,11011,2604981,00.html>
and a follow up
http://www.zdnet.com/eweek/stories/general/0,11011,2606344,00.html
<http://www.zdnet.com/eweek/stories/general/0,11011,2606344,00.html>
--Chris
Chris.Bowes_at_Kosa.com
------_=_NextPart_001_01C0030A.83D28B86
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>eweek Oracle base breached using mdsys</TITLE>
<META content="MSHTML 5.00.2919.6307" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=615442220-10082000>I
agree <FONT face=Arial size=2>Dr. Kumanov</FONT>, homework must be
done. I was just pointing out that they had worked weeks on the setup
(covered in other columns on the website) to make sure there were no holes and
they let a default password stay. A check of the manual or a
simple select on dba_users after the installations had completed would have
shown them what they needed to change. Just goes to show when you let the
sysadmins and developers and/or non-dba types do the database
administrator work, you get databases that really need administration and lots
of it... Anyway, this day is over. Have a happy Friday
everyone.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=615442220-10082000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=615442220-10082000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=615442220-10082000></SPAN></FONT><FONT face=Arial size=2>--Chris</FONT>
<BR><FONT face=Arial size=2>Chris.Bowes_at_Kosa.com</FONT> </DIV>
<DIV> </DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader><FONT face="Times New Roman"
size=2>-----Original Message-----<BR><B>From:</B> Nikolay Kumanov
[mailto:nkumanov_at_zgb.bg]<BR><B>Sent:</B> Thursday, August 10, 2000 2:26
PM<BR><B>To:</B> Multiple recipients of list ORACLE-L<BR><B>Subject:</B> RE:
eweek Oracle base breached using mdsys<BR><BR></DIV></FONT>
<DIV><SPAN class=078475216-10082000><FONT face=Arial size=2>I have only WinNT
installation guide handy, but in chapter 6, "Reviewing Your Installed Starter
Database Contents" it is said "<FONT face="Times New Roman" size=3>This
section describes the user names and passwords included in the starter
database. Change the password for user names <EM class=Italic>immediately</EM>
after installation". And MDSYS user is there. OK, this user isn't granted any
roles, but it has all the privileges granted directly. The manual doesn't
mention this, so there is a mistake, but still, <FONT face=Arial
size=2>h</FONT></FONT></FONT></SPAN><SPAN class=078475216-10082000><FONT
face=Arial size=2>omework must be done sometimes.</FONT></SPAN></DIV>
<DIV><SPAN class=078475216-10082000><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=078475216-10082000><FONT face=Arial
size=2>/flameproof_suit_on</FONT></SPAN></DIV>
<DIV><SPAN class=078475216-10082000><FONT face=Arial size=2>Probably that
shows that we must go for databases that have only a single 'SA' account, so
that securing them will be easier :}}}}}</FONT></SPAN></DIV>
<DIV><SPAN class=078475216-10082000><FONT face=Arial
size=2>/flameproof_suit_off</FONT></SPAN></DIV>
<P><FONT face=Arial size=2>Dr. Nikolay Kumanov</FONT> </P> <P><FONT face=Arial size=2>MIS Manager, Zeitungsgruppe Bulgarien GmbH</FONT> <BR><FONT face=Arial size=2>47, Tsarigradsko chaussee, Sofia 1504,Bulgaria</FONT> <BR><FONT face=Arial size=2>phone: +(359-2)4339-643, fax: +(359-2)946-1286</FONT> <BR><U><FONT color=#0000ff face=Arial size=2><A href="mailto:nkumanov_at_zgb.bg">mailto:nkumanov_at_zgb.bg</A></FONT></U> </P> <P><FONT face=Arial size=2>"Show me a completely smooth operation and I'll show you someone who's</FONT> <BR><FONT face=Arial size=2>covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse: Dune"</FONT> </P> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Bowes, Chris [mailto:Chris.Bowes_at_kosa.com]<BR><B>Sent:</B> Thursday, August 10, 2000 7:19 PM<BR><B>To:</B> Multiple recipients of list ORACLE-L<BR><B>Subject:</B> eweek Oracle base breached using mdsys<BR><BR></FONT></DIV> <P><FONT face=Arial size=2>Don't know if this was posted here or not. It was a hacker test setup. They "worked so hard" to secure the site and left a default password unchanged...</FONT></P> <P><FONT face=Arial size=2><A
</P> <P><FONT face=Arial size=2>and a follow up</FONT> </P> <P><FONT face=Arial size=2><A