COMMAND
Oracle
SYSTEMS AFFECTED
Win NT (Oracle 8 Server)
PROBLEM
Adam Maloney found following. He noticed that his NT machine was
listening on port 1526. For lack of a better way, He telnetted to
the port to try and find out what it was:
telnet localhost 1526
Connected to kilroy.intexp.com on port 1526
(some garbage)
Disconnected from kilroy.intexp.com
As soon as disconnected, CPU usage jumped to 100%. Upon looking
at Taskman, a process named tnslsnr80.exe was the culprit. No
way to kill the process, and after waiting for about 5 minutes for
it to go away, you'll be forced to reboot your machine.
tnslsnr80.exe is placed in the Oracle directory. Apparently this
program listens for connections on port 1526 (port 1521 may be
vulnerable as well), and is not expecting a mere user to telnet
to it and feed it garbage. Ports 1521/1526 are the default port
numbers Oracle will listen on for SQL*Net (Oracle 7) or Net8
(Oracle 8) out of the box. There is a file in directory
%ORACLE_HOME%\network\admin (Oracle 7) or %ORACLE_HOME%\net8\admin
(Oracle 8) called listener.ora that specifies the ports to listen
on.
SOLUTION
A possible workaround would be to change the port that Oracle
listens on to something random (so that the script kiddies have to
hunt for it at least). The initialization file for the Oracle
Listener is called "Listener.ora", and can be found in your
"\ORANT\NET80\ADMIN". This file determines the protocols/ports
which Oracle uses to listen for database connections. If you are
running a database and a web server on the same machine, there is
no need to listen for TCP connections. Either use the Oracle
Bequest method or IPC for local connections. There should be a
few lines in the initialization file something like this:
(ADDRESS=
(PROTOCOL= TCP)
(Host= kilroy)
(Port= 1526)
)
You could change either change the port listed here or remove the
entry entirely and restart the Oracle Listener if you are not
connecting to the database via TCP to port 1526. Remove all
protocols/ports not in use in this file.