| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Possible Security Breach
"Howard J. Rogers" <hjr_at_dizwell.com> wrote in message news:<412df507$0$18394$afc38c87_at_news.optusnet.com.au>...
> rc wrote:
>
> > Hi
> >
> > We run oracle 8.7.1.4 on Solaris 8 Sparc
> >
> > I have noticed from our firewall log that our server is trying to
> > connect to an IP address on the Internet on port 1521.
>
> You know that port 1521 is the standard port for an Oracle listener, don't
> you?
>
> > I have never allowed port 1521 in/out via the firewall
>
> If the connection attempt is being made to the Internet, I suspect it's your
> Oracle configuration that needs looking at, not your firewall.
>
> > After further hunting, I have found that it is the pmon process that
> > is initiating the syn packet. Obviously the pmon process is being told
> > to do this something else.
>
> Er, paranoia is a useful quality in some situations. But it also helps to
> know something about Oracle so that you can sensibly distinguish between
> those occasions when there's a real problem and those where Oracle is just
> doing its normal stuff.
>
> In 8i, we have automatic instance registration, whereby PMON every few
> minutes will attempt to make contact with a listener (usually, as
> mentioned, running on port 1521) in order to assure the listener that the
> instance is still running and to give it some load information.
>
> That way, the listener is in a position to load-balance user requests
> appropriately in a cluster situation. Or to connect a user with confidence
> of success in a non-cluster situation.
>
> What you are witnessing is, therefore, PMON's normal, hard-coded, behaviour.
> That it has maybe been directed to register with a listener outside your
> firewall is a configuration issue Check tnsnames.ora and the init.ora
> parameter local_listener and maybe remote_listener too. The two parameters
> take values of tnsnames.ora aliases, which therefore resolve down to IP
> addresses and port numbers. If there is no explicit alias provided for
> either parameter, then the default behaviour is for PMON to register with a
> listener running on port 1521 on the local host. If the IP address to which
> registration is being directed is a definite no-no as far as you are
> concerned, the answer lies somewhere in those two files.
>
> > Is there known holes in the version of Oracle we run or can any point
> > in the direction to find out what is telling pmon to do this?
> >
> > Thanks
>
> Are there known holes? Yes, but you've patched 8i as good as it's going to
> get.
>
> Regards
> HJR
there is also an event that can be set to disable dynamic
registration.
check metalink.
check to see if you have any stale database links (dba_db_links).
I hope that you have applied the patchsets (long ago, most likely) that addressed multiple vulnerabilities in the 8.1.7.4 tns listener.
Pd Received on Thu Aug 26 2004 - 17:48:02 CDT
 |
 |