Pete Finnigan's Oracle Security Weblog

Today Alex has made a post to my forum titled "Oracle voyager worm". This mentions a post to the full disclosure list titled "trick or treat Larry" that details PL/SQL code for an Oracle worm. Alex has also analysed the worm on his site in a document titled "Analysis Oracle voyager worm". This paper describes what the worm does. Basically this worm uses UTL_TCP to send a command to the listener potentially on each IP Address in the same net range as the IP the database is on. If it finds a database it creates a private database link and then tries to connect on that link using default users and passwords. It then creates a table callled 'X' in the remote database. The code looks incomplete as the worm does not replicate itself. This could be changed. The poster is anonymous. This is a worrying new event for anyone running insecure databases. Take simple precautions, revoke the execute privileges on UTL_TCP, change all default passwords, do not use 1521 for the listener and disable local authentication on the 10g listener and instead use a strong password. Alex has detailed some of these and more on his site.