Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "UKOUG tomorrow"] [Next entry: "UKOUG so far"]

Oracle worm in the wild

Today Alex has made a post to my forum titled "Oracle voyager worm". This mentions a post to the full disclosure list titled "trick or treat Larry" that details PL/SQL code for an Oracle worm. Alex has also analysed the worm on his site in a document titled "Analysis Oracle voyager worm". This paper describes what the worm does. Basically this worm uses UTL_TCP to send a command to the listener potentially on each IP Address in the same net range as the IP the database is on. If it finds a database it creates a private database link and then tries to connect on that link using default users and passwords. It then creates a table callled 'X' in the remote database. The code looks incomplete as the worm does not replicate itself. This could be changed. The poster is anonymous. This is a worrying new event for anyone running insecure databases. Take simple precautions, revoke the execute privileges on UTL_TCP, change all default passwords, do not use 1521 for the listener and disable local authentication on the 10g listener and instead use a strong password. Alex has detailed some of these and more on his site.