Thanks Ron.
No, we use SQL-Backtrack instead of RMAN. However SQL-Backtrack does show a diff
flavor of rogue connections of ###NOBODY.
The remote database systems that are connecting to our database as SYS are not ones we
support. What is common about these databases is they do have logins to our database.
Those logins have only 'create session' privileges with select grants on views we
created for our application.
Suzy
-Original Message-
Ron Rogers
Sent: Wednesday, December 10, 2003 1:24 PM
To: Multiple recipients of list ORACLE-L
Suzy,
Do you use RMAN to perform backups? Do you use a catalog with RMAN?
Rman uses sys to perform the connections to the target database.
Just a thought,
Ron
[EMAIL PROTECTED] 12/10/2003 3:09:33 PM
Solaris 2.8 Oracle 8.1.7.0. We have session auditing enabled, and see
rogue connections as SYS from several remote databases. The os_user of
the remote system is always oracle and there are several different
remote hosts involved.
I can't figure out how they are gaining access this way. Our SYS
password is set to a random string, not the default, and we change it
frequently. There are no corresponding telnet sessions indicating
access is local from our server, and we also change our oracle password
frequently.
I know the listener has vulnerabilities and we should apply those
patches, but want to be sure we don't have an obvious configuration
problem that is allowing these connections. Any ideas?
-- init.ora
remote_login_passwordfile=NONE
remote_os_authent=FALSE
-- sqlnet.ora
sqlnet.authentication_services=(NONE)
Here is a snippet from the audit trail:
-- sys.aud$
select timestamp#, userid, userhost, terminal, action# returncode,
comment$text from sys.aud$
where userid = 'SYS';
DEC-09-03 15:13:10 SYS UNKNOWN
101
Authenticated by: DATABASE; Client address:
(ADDRESS=(PROTOCOL=tcp)(HOST=10.0.19
2.236)(PORT=63519))
-- dba_audit_session
select username,os_username,action_name
action,terminal,timestamp,returncode
from dba_audit_session
where username = 'SYS';
USERNAME OS_USERNAME ACTION TERMINAL TIMESTAMP
RETURNCODE
-- -- --
--
SYS oracle LOGOFF UNKNOWNDEC-09-03 15:13:10
0
-- listener log
09-DEC-2003 15:13:10 *
(CONNECT_DATA=(SID=mnet03bP)(CID=(PROGRAM=)(HOST=hpcad200)(USER=oracle)))
* (ADDRESS=(PROTOCOL=tcp)(HOST=10.0.192.236)(PORT=63519)) * establish *
mnet03bP * 0
Thanks,
Suzy
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Vordos, Suzy
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Ron Rogers
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Vordos, Suzy
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
