This was my original posting to NTBugtraq back in August. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Adam Maloney Systems Administrator Internet Exposure -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -----Original Message----- From: Adam Maloney <adamat_private> To: NTBUGTRAQat_private <NTBUGTRAQat_private> Date: Thursday, August 27, 1998 12:27 PM Subject: "NERP" DoS attack possible in Oracle >NERP DoS attack for Oracle > >About two weeks ago I noticed that my NT machine was listening on port 1526. >I did not recognize this port number as a WKS, and it was not listed in NT's >services file, so I becamse suspicious. For lack of a better way, I >telnetted to the port to try and find out what it was: > >telnet localhost 1526 >Connected to kilroy.intexp.com on port 1526 >NERP > >Disconnected from kilroy.intexp.com > >As soon as I disconnected, my CPU usage jumped to 100%. Upon looking at >Taskman, I saw that a process named tnslsnr80.exe was the culprit. I could >not kill the process, and after waiting for about 5 minutes for it to go >away, I was forced to reboot my machine. > >When my machine came back up, I did a search for tnslsnr80.exe, and found it >in the Oracle directory. Apparently this program listens for connections on >port 1526 (port 1521 may be vulnerable as well), and is not expecting a mere >user to telnet to it and feed it garbage. > >I contacted Oracle two weeks ago, first via their web comments page, and >then again via e-mail, and they never acknowledged or responded. It is my >belief that you can bring an NT machine down to it's knees if it is running >Oracle. > >System Tested: >NT4.0 SP3 + post SP3 patches >Oracle 8 >P-Pro 200, 128MB RAM > >I am not 100% sure that this attack can be reproduced on anyone elses >systems. I can reproduce it on my test machine, but all of the people that >I had contacted, asking to try the exploit out have not gotten back to me at >all. > >A possible workaround would be to change the port that Oracle listens on to >something random (so that the script kiddies have to hunt for it at least). >I forget where, but I thought I saw a config file that allows you to specify >which port. > >BTW, a few people have asked me if NERP is significant...it is not, typing >any random garbage is sufficient. The NERP was just a sporadic random >thought. > >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Adam Maloney > Systems Administrator > Internet Exposure >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:33 PDT