| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: security problem with 8i
Ah, War stories...
Reminds me (somewhat) of a company that I consulted, that had been suddently abandoned by its DBA in November, 1999 - anyone remember the Y2K panic??
They couldn't explan the CPU slowdown and lack of IO throughput. So I went on site, and their DBA with 5 years of experience had exactly 3 tablespaces in the system: TEMP, RBS, and SYSTEM. System was > 2GB and was composed of about 25 datafiles. Anyone care to guess where all of the db objects lived???
It was a production system, BTW. It's nice to feel like a miracle-worker sometimes. : )
Brian
Rachel Carmichael wrote:
> I would doubt he's joking. I've had simular experiences....
>
> transferred to another department within the same company. Get a call from
> my old boss "our dba is out sick, we HAVE to have this done today, this is a
> highly secured system you have to help and make the changes from this pc"
>
> I go there, cannot log into the database with the username and password he
> gives me. We call the dba (who was really sick), apologize and ask for the
> username and password -- same as what I had. Still does not work. I stop,
> think and say "let me try something"
>
> and log in as system/manager
>
> I do what they ask me to, then take my old boss aside and explain (gently)
> that he has a security hole in his "highly secured" system that I could
> drive a truck through.
>
> >From: paquette stephane <stephane_paquette_at_yahoo.com>
> >Reply-To: ORACLE-L_at_fatcity.com
> >To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
> >Subject: Re: Re[2]: security problem with 8i
> >Date: Wed, 18 Jul 2001 07:25:48 -0800
> >
> >Are you joking ?
> >
> > --- dgoulet_at_vicr.com a écrit : > Although there
> >has been so much publicity of
> > > security "holes" in Oracle, in
> > > particular the listener, the one hole that really
> > > causes me concern is the
> > > default passwords for sys and system and/or using
> > > the username as a password.
> > > Over the past 2 years I've been to a few sites, like
> > > 4, at a friends request
> > > and/or on an interview where the manager said "show
> > > me" and each time I've been
> > > able to log onto the DB with any of the following:
> > >
> > > sys/change_on_install
> > > sys/sys
> > > system/system
> > > system/manager
> > >
> > > Now come on, this was an old V6 thing that we were
> > > suppose to do, and we're
> > > still not!!
> > >
> > > Dick Goulet
> > >
> > > ____________________Reply
> > > Separator____________________
> > > Author: Ray Stell <stellr_at_stell.cns.vt.edu>
> > > Date: 7/18/2001 5:15 AM
> > >
> > > On Wed, Jul 18, 2001 at 03:45:57AM -0800, Jon
> > > Walthour wrote:
> > > > Listers:
> > > >
> > > > My client has asked me to look into this issue and
> > > determine if they should
> > > > be concerned about it or not. Since they don't
> > > have any db's directly
> > > > accessible from the Internet and since their LAN
> > > is very secure anyway, I'm
> > > > inclined to not apply any patches based on the
> > > premise that if it isn't a
> > > > necessary patch, don't apply it in fear of
> > > breaking something else. What do
> > > > you think?
> > > > --
> > >
> > > two words, disgruntled employee
> > >
> >===============================================================
> > > Ray Stell stellr_at_vt.edu (540) 231-4109
> > > KE4TJC 28^D
> > > --
> > > Please see the official ORACLE-L FAQ:
> > > http://www.orafaq.com
> > > --
> > > Author: Ray Stell
> > > INET: stellr_at_stell.cns.vt.edu
> > >
> > > Fat City Network Services -- (858) 538-5051 FAX:
> > > (858) 538-5051
> > > San Diego, California -- Public Internet
> > > access / Mailing Lists
> > >
> >--------------------------------------------------------------------
> > > To REMOVE yourself from this mailing list, send an
> > > E-Mail message
> > > to: ListGuru_at_fatcity.com (note EXACT spelling of
> > > 'ListGuru') and in
> > > the message BODY, include a line containing: UNSUB
> > > ORACLE-L
> > > (or the name of mailing list you want to be removed
> > > from). You may
> > > also send the HELP command for other information
> > > (like subscribing).
> > > --
> > > Please see the official ORACLE-L FAQ:
> > > http://www.orafaq.com
> > > --
> > > Author:
> > > INET: dgoulet_at_vicr.com
> > >
> > > Fat City Network Services -- (858) 538-5051 FAX:
> > > (858) 538-5051
> > > San Diego, California -- Public Internet
> > > access / Mailing Lists
> > >
> >--------------------------------------------------------------------
> > > To REMOVE yourself from this mailing list, send an
> > > E-Mail message
> > > to: ListGuru_at_fatcity.com (note EXACT spelling of
> > > 'ListGuru') and in
> > > the message BODY, include a line containing: UNSUB
> > > ORACLE-L
> > > (or the name of mailing list you want to be removed
> > > from). You may
> > > also send the HELP command for other information
> > > (like subscribing).
> >
> >=====
> >Stéphane Paquette
> >DBA Oracle, consultant entrepôt de données
> >Oracle DBA, datawarehouse consultant
> >stephane_paquette_at_yahoo.com
> >
> >___________________________________________________________
> >Do You Yahoo!? -- Vos albums photos en ligne,
> >Yahoo! Photos : http://fr.photos.yahoo.com
> >--
> >Please see the official ORACLE-L FAQ: http://www.orafaq.com
> >--
> >Author: =?iso-8859-1?q?paquette=20stephane?=
> > INET: stephane_paquette_at_yahoo.com
> >
> >Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> >San Diego, California -- Public Internet access / Mailing Lists
> >--------------------------------------------------------------------
> >To REMOVE yourself from this mailing list, send an E-Mail message
> >to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> >the message BODY, include a line containing: UNSUB ORACLE-L
> >(or the name of mailing list you want to be removed from). You may
> >also send the HELP command for other information (like subscribing).
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Rachel Carmichael
> INET: carmichr_at_hotmail.com
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
-- -------------------------------------- | Brian McGraw -- Oracle DBA | | Central Alabama Oracle Users Group | |------------------------------------| | mailto:BMcGraw_at_mindspring.com | | http://bmcgraw.home.mindspring.com | -------------------------------------- -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Brian McGraw INET: brian.mcgraw_at_infinity-insurance.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Wed Jul 18 2001 - 10:52:42 CDT
 |
 |