| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: rogue SYS connections
Thanks Ron.
No, we use SQL-Backtrack instead of RMAN. However SQL-Backtrack does show a diff flavor of rogue connections of ###NOBODY.
The remote database systems that are connecting to our database as SYS are not ones we support. What is common about these databases is they do have logins to our database. Those logins have only 'create session' privileges with select grants on views we created for our application.
Suzy
-----Original Message-----
Ron Rogers
Sent: Wednesday, December 10, 2003 1:24 PM
To: Multiple recipients of list ORACLE-L
Suzy,
Do you use RMAN to perform backups? Do you use a catalog with RMAN?
Rman uses sys to perform the connections to the target database.
Just a thought,
Ron
>>> Suzy.Vordos_at_qwest.com 12/10/2003 3:09:33 PM >>>
Solaris 2.8 Oracle 8.1.7.0. We have session auditing enabled, and see rogue connections as SYS from several remote databases. The os_user of the remote system is always oracle and there are several different remote hosts involved.
I can't figure out how they are gaining access this way. Our SYS password is set to a random string, not the default, and we change it frequently. There are no corresponding telnet sessions indicating access is local from our server, and we also change our oracle password frequently.
I know the listener has vulnerabilities and we should apply those patches, but want to be sure we don't have an obvious configuration problem that is allowing these connections. Any ideas?
Here is a snippet from the audit trail:
DEC-09-03 15:13:10 SYS UNKNOWN
101
Authenticated by: DATABASE; Client address:
(ADDRESS=(PROTOCOL=tcp)(HOST=10.0.19
2.236)(PORT=63519))
USERNAME OS_USERNAME ACTION TERMINAL TIMESTAMP RETURNCODE
-------- ------------ ------ -------------- ------------------ ---------- SYS oracle LOGOFF UNKNOWN DEC-09-03 15:13:100
Thanks,
Suzy
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Vordos, Suzy
INET: Suzy.Vordos_at_qwest.com
Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services ---------------------------------------------------------------------To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services ---------------------------------------------------------------------To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services ---------------------------------------------------------------------To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Wed Dec 10 2003 - 14:49:25 CST
 |
 |