Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Nov 23rd, 2017, 7:12am
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   How many Oracle databases are exposed to the net?
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: How many Oracle databases are exposed to the net?  (Read 2164 times)
isaez
PeteFinnigan.com Junior Member
**



Ivan

   
View Profile |

Gender: male
Posts: 76
How many Oracle databases are exposed to the net?
« on: Nov 18th, 2005, 8:18pm »
Quote | Modify

Hi,
 
I read Pete's last weblog about the research David is going to do: research how many database are exposed to the net.
I did myself a quick scan using Google. I searched for "port filetypeShockedra" and found 235 hits. I took randomly the information found on one of this hits and found information about 71 hosts, SID's and portnumbers. The following step was sending a version command to those listeners and I got about 20 valid reply's. Something like this:  
TNSLSNR for IBM/AIX RISC System/6000: Version 9.2.0.6.0 - Production..TNS for IBM/AIX RISC System/6
...
...
Oracle version and OS + version.
 
Searching Google for "community protocol host port connect_data" gives even more hits: 9880!
Many of those hits are from sample files or how-to manuals but surely some of them are valid connect information.
I've to conclude that there are some database exposed to the net. We will have to wait for David's research to have an estimate of how many.  
I've to think of  Alex Kornbrust estimate that about 60% of the listeners are not secured with a password!
 
The combination: exposed to the net + findable trough Google + no listener password is scaring!
 
Ivan
 
 
IP Logged

regards,

Ivan
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: How many Oracle databases are exposed to the n
« Reply #1 on: Nov 19th, 2005, 8:39pm »
Quote | Modify

Hi Ivan
 
It would be interesting to know how many vulnerable Oracle databases there are out there. e.g. how many have listeners or other ports such as xdb open to the net. I think it will be surprising how many there are.  
 
Google hacking is a great technique for finding them. [url http://johnny.ihackstuff.com/]Johnny Long[/url] has a good site and database of google hacking search strings. There are quite a few oracle ones. I have written in my blog quite a few times about google hacking and also specific relevance to Oracle.
 
What I would like to see is how the number of visible (not necessarily vulnerable) Oracle databases there are compared to SQL Server.
 
A real worm is a real possibility waiting to happen.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
kornbrust
PeteFinnigan.com Newbie
*





   
View Profile |

Gender: male
Posts: 27
Re: How many Oracle databases are exposed to the n
« Reply #2 on: Nov 19th, 2005, 11:54pm »
Quote | Modify

Pete,
 
A few months ago I published a list with google hacking strings for Oracle.  
 
google_oracle_hacking_us.pdf  
 
Most products of the Oracle technology stack are using Oracle databases. Very often these databases are available on the internet.
 
A quick check shows that all 8i/9i listeners I found are unprotected. I stopped my research after 20 examples.
 
 
Regards
 
 Alex
« Last Edit: Sep 17th, 2009, 4:37pm by Pete Finnigan » IP Logged
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: How many Oracle databases are exposed to the n
« Reply #3 on: Nov 20th, 2005, 8:47pm »
Quote | Modify

Hi Alex,
 
Thanks for your input. I remember your paper well and I blogged about when it was first posted and remember your results. As I said yesterday my concern is how the numbers are likely to grow with the advent of XE.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board