Eye on Oracle

Jul 12 2007   11:05AM GMT

More security horror stories

Ken Cline Profile: Clinek

Don adds these tales of woe to our growing collection of Oracle security bloopers:


We received a call from a client who was complaining of performance problems on their Oracle database which was running on a standalone Linux server.  The company was in the business of providing credit information to third-party companies to access an individual’s probability of financial default.

Upon accessing the server, Oracle was apparent that something was terribly wrong. Even when idle, the Oracle database was performing I/O operations and the processors were active, even though Linux did not show any active processes.  The Linux “ps” command failed to reveal any active processes.

After a Linux expert was consulted the real issue was discovered.  A disgruntled Systems Administrator had left a time-bomb on the server, to be activated when their user account was removed from the /etc/passwd file, indicating that they had been fired.

This time-bomb was activated when the System Administrator left the company to “pursue other opportunities”, and the attack was both clever and devastating.  The attacker placed a Linux daemon process called “vacuum” on the Linux server and this process was constantly polling the Oracle database, seeking new information, and e-mailing Oracle to an overseas mailbox.

This attack has disclosed the entire Oracle database of confidential information to an unknown party, and the company was held fully responsible because they failed to institute a third-party employee to manage their server security.

The attack was very sophisticated and unobtrusive.  The malicious employee had replaced the standard Linux commands with a “root kit”, an attack method readily available on the Internet.  In a root Kit attack, the Linux commands are replaced with an alias to disguise the presence of the Oracle data stealing mechanism.  In this case, the process command “ps” was replaced with the command “ps|grep –i vacuum,” such that the process would not appear within Linux. 


In this case, a hacker exploited a server vulnerability, siphoned confidential information from a company’s Oracle database and shipped it to a foreign nation that did not honor U.S.. copyright law.  A foreign crook then extorted the company, proving that they had the Oracle data, and threatened to disclose proprietary secrets to a competitor unless they were paid a significant sum of money.

Faced with the loss of their competitive advantage, the company contacted the FBI and was told that there was no reciprocity with the nation and that Interpol would not be able to investigate or arrest the extortionists.  Even worse, Oracle management had not detected the leak, and had no idea how the thieves had accessed their Oracle database.


An Oracle database sdministrator for a major university was caught “enhancing” college transcripts to allow people to gain acceptance to top professional schools.  The DBA had complete control over the Oracle database and the auditing mechanism and was charging friends and acquaintances thousands of dollars to add courses and improve existing grades.  Because the DBA controlled the audit mechanism, she was able to completely erase all traces of the fraudulent changes.

This fraud went undetected for more than five years until a professor discovered the fraud.  The professor was asked questions about a former student as part of a pre-employment background check and discovered that the student had never taken his class even though the official university transcript indicated an “A” for the course.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: