Re: dba_audit_session

From: Mladen Gogala <mgogala_at_yahoo.com>
Date: Sat, 09 May 2015 17:46:39 -0400
Message-ID: <554E803F.1090401_at_yahoo.com>

It would also be helpful to turn on "audit network" to and examine the audit trail carefully. The AUDIT NETWORK command should reveal the source IP address and then you can figure out whether your database is under attack or an application is just coded incorrectly. My guess is that the latter is the case, since "EXAMPLE.COM" is frequently found in the 3rd party application as a connection example. It is likely the case of mis-configured application which shouldn't have gained access to the network with the production database but somehow did.

On 05/08/2015 11:46 AM, Powell, Mark wrote:
>
> Someone else may recognize what causes these messages but until
> someone else posts you should be able to pull the IP address from the
> audit information for the failed connections and verify that the
> failed attempts are all coming from within your environment or from
> outside. If inside you can look more closely at what the server in
> question is running?
>
> *From:*oracle-l-bounce_at_freelists.org
> [mailto:oracle-l-bounce_at_freelists.org] *On Behalf Of *Chris King
> *Sent:* Thursday, May 07, 2015 11:47 AM
> *To:* Oracle-l Digest Users
> *Subject:* Fw: dba_audit_session
>
> dbconsole has reported that "There have been 1068 failed login
> attempts in the last 30 minutes." So I did a select on
> dba_audit_sessions where returncode !=0 and found that in every case,
> the os_username is oracle, the returncode is 1017 (invalid
> username/password).. but.. and here's my question.. the username field
> of dba_audit_session varies and does not contain database username.
> Some of the 70 different values are "MSGBOX(" "HTTPS:"
> ".EXAMPLE.COM" "AND1=1".
>
> How can I further track down what is happening?
>
> Note that this has only begun happening since I applied COST to
> restrict instance registration in Oracle RAC (Doc ID 1340831.1), so
> could be related, but it's not clear how the change would cause this.
>
> Thanks in advance all!
>

-- 
Mladen Gogala
Oracle DBA
http://mgogala.freehostia.com


--
http://www.freelists.org/webpage/oracle-l

Received on Sat May 09 2015 - 23:46:39 CEST

This message: [ Message body ]
Next message: Andrew Kerber: "Problem install OEM Cloud Control"
Previous message: Mark W. Farnham: "RE: Remote Storage Mirroring vs Dataguard - Important"
In reply to: Powell, Mark: "RE: dba_audit_session"
Next in thread: Don Granaman: "RE: dba_audit_session"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message