On Monday (31-OCT-2005), an anonymous developer on the Full-Disclosure mailing list contributed a post titled "Trick or Treat Larry", disclosing a proof-of-concept worm that targets Oracle databases with default user accounts and passwords.
The worm uses the UTL_TCP package to scan for remote Oracle databases on the same local network. Upon finding another database, the SID is retrieved and the worm uses several default username and password combinations to attempt to login to the remote database. Currently, the default/username password list includes:
In its current state, the worm isn't a terribly significant threat. However, is can be treated as an early warning sign for future variants of the worm that include additional propagation methods. Oracle DBA's can take several actions to mitigate the effect of this worm and possible future variants:
If you are concerned or interested about Oracle security issues, a wonderful resource for keeping current is Pete Finnigan's blog at www.petefinnigan.com/weblog/. I make it a point to check Pete's blog every day and I'm never disappointed.
Nov 1st 2005
1 decade ago