Re: Tracing the rejected connection

From: Mark D Powell <Mark.Powell_at_eds.com>
Date: Fri, 21 Mar 2008 08:16:23 -0700 (PDT)
Message-ID: <185da92b-f853-484a-9a5d-960d2514c294@p25g2000hsf.googlegroups.com>

On Mar 21, 10:51�am, Steve Howard <stevedhow..._at_gmail.com> wrote:
> On Mar 20, 11:07 pm, DriVE_mE_cRazY <k.senthilmuru..._at_gmail.com>
> wrote:
>
> > Hi all,
>
> > We are facing a strange issue in our database. We are getting alert in
> > a particular time period that a particular database user ( say X )
> > has exceeded log on failures count.I believe some program is �trying
> > to connect to db as �oracle database user (X) from a unix account
> > ( say Y ). sudo from that unix account to oracle user account ( from Y
> > to X ) is disabled.No cron jobs, batch programs are running at that
> > time.I'm very much confused how to trace that program/user
>
> > Please help me .
>
> > thanks,
>
> > senthil
>
> Hi,
>
> Try...
>
> SQL> audit connect whenever not successful;
>
> Audit succeeded.
>
> SQL> conn rep/foo
> ERROR:
> ORA-01017: invalid username/password; logon denied
>
> Warning: You are no longer connected to ORACLE.
> SQL> conn / as sysdba
> Connected.
> SQL> select count(*) from aud$;
>
> � COUNT(*)
> ----------
> � � � � �0
>
> SQL> show parameter audit_trail
>
> NAME � � � � � � � � � � � � � � � � TYPE � � � �VALUE
> ------------------------------------ -----------
> ------------------------------
> audit_trail � � � � � � � � � � � � �string � � �NONE
> SQL> alter system set audit_trail=db scope=spfile;
>
> System altered.
>
> SQL> startup force
> ORACLE instance started.
>
> Total System Global Area �167772160 bytes
> Fixed Size � � � � � � � � �1260696 bytes
> Variable Size � � � � � � 109052776 bytes
> Database Buffers � � � � � 54525952 bytes
> Redo Buffers � � � � � � � �2932736 bytes
> Database mounted.
> Database opened.
> SQL> conn rep/foo
> ERROR:
> ORA-01017: invalid username/password; logon denied
>
> Warning: You are no longer connected to ORACLE.
> SQL> conn / as sysdba
> Connected.
> SQL> select userid,timestamp# from aud$;
>
> USERID � � � � � � � � � � � � TIMESTAMP#
> ------------------------------ -------------------
> REP
>
> SQL>
>
> HTH,
>
> Steve

The DBA_AUDIT_SESSION view and the OS usernane and host columns (os_username, userhost) might be of interest. The same information could be extracted from the DBA_AUDIT_TRAIL view but if other auditing is also being done the specialized view offers ease of use advantages.

HTH -- Mark D Powell -- Received on Fri Mar 21 2008 - 10:16:23 CDT

This message: [ Message body ]
Next message: craig: "Requirement for Oracle Techno-Functional Consultant"
Previous message: Mark D Powell: "Re: indexing issue"
In reply to: Steve Howard: "Re: Tracing the rejected connection"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message