Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Oracle rootkit

RE: Oracle rootkit

From: MacGregor, Ian A. <ian_at_slac.stanford.edu>
Date: Wed, 25 Jan 2006 11:21:41 -0800
Message-ID: <7F24308CD176594B8F14969D10C02C6C8A062A@exch-mail2.win.slac.stanford.edu> 





Starting with Oracle 10G you need to be a member of the dba group to shutdown the listener.  Adding a password means members outside the group can shutdown the listener if they know the password.



On a related topic, Oracle sometimes decides to startua second listener on the same port; there by causing denial of service.  Under Oracle 9i and before the password only provided protection against shutting down the listener, not starting it up. 



Ian MacGregor


Stanford Linear Acclerator Center


ian_at_slac.stanford.edu 



-----Original Message-----



From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Jared Still
Sent: Wednesday, January 25, 2006 6:55 AM
To: oracledba.williams_at_gmail.com


Cc: oracle-l


Subject: Re: Oracle rootkit



It's time to get serious about security, if you're not already.



Put passwords on listeners, etc.



It would also be a good idea to track changes to the data dictionary.



Our databases have a baseline run once a month that tracks 
DDL dates, new/missing objects and checksums on stored code,
including views.



A report is spit out show differences between the baseline(could
be any previous run) and the current one.



That will help detect root kits.  



The problem with that is if something is modified, and then changed
back to its original state between data collection runs.  



The change date can be detected, but not how it was changed.



Then again, a savvy root kit would put all the dates back. 



Oracle may need to start supporting auditing on the DD objects.



Jared





On 1/25/06, Dennis Williams < oracledba.williams_at_gmail.com <mailto:oracledba.williams_at_gmail.com> > wrote:



        List,
        

	Here is a significant media article that I haven't seen posted here. 
	It describes a nightmarish future of Oracle security problems. But
	then maybe I was napping. Hey maybe this article is a hallucination.
	
	http://www.eweek.com/article2/0,1895,1914465,00.asp 
	
	Dennis Williams
	--
	http://www.freelists.org/webpage/oracle-l
	
	
	








-- 



Jared Still


Certifiable Oracle DBA and Part Time Perl Evangelist 



--



http://www.freelists.org/webpage/oracle-l
Received on Wed Jan 25 2006 - 13:21:41 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US