RE: Oracle rootkit

My point was in reference to the earlier posting about Oracle providing solutions. As Alex points out, this patch is incomplete because it does not test for hidden users. What is really needed is a password checker or cracker. But even that may not be enough, given the vulnerabilities described in Josh Wright's paper
http://www.sans.org/rr/special/index.php?id=oracle_pass.

-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Rich Holland Sent: Thursday, January 26, 2006 6:48 PM To: oracle-l_at_freelists.org
Subject: RE: Oracle rootkit

Ron Reidy wrote:

> [...] check out the password checking tool (patch
> 4926128) and see what Alex Kornburst has to say about it at
> http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html
> .

I went one better years ago (1999? 2000?). We maintained a central TNSNAMES.ORA file for all the databases we managed. I'd parse that and make SQL*Net connections to every database and try to log in with know accounts (e.g. system/manager, sap/sapr3, etc.) and if successful emailed both the Oracle DBA's and our help desk system to create a security ticket.... that way if someone set up a new database and forgot to change one of the known defaults, we'd catch it that same day.

Rich Holland
Principal Consultant
Guidance Technologies, Inc.
Cell: 913-645-1950

--
http://www.freelists.org/webpage/oracle-l



This electronic message transmission is a PRIVATE communication which contains
information which may be confidential or privileged. The information is intended 
to be for the use of the individual or entity named above. If you are not the 
intended recipient, please be aware that any disclosure, copying, distribution 
or use of the contents of this information is prohibited. Please notify the
sender  of the delivery error by replying to this message, or notify us by
telephone (877-633-2436, ext. 0), and then delete it from your system.

--
http://www.freelists.org/webpage/oracle-l