Oracle Worm Proof-of-concept

November 2, 2005

[From Sans Internet Storm Center]

On Monday (31-OCT-2005), an anonymous developer on the Full-Disclosure mailing list contributed a post titled "Trick or Treat Larry", disclosing a proof-of-concept worm that targets Oracle databases with default user accounts and passwords.

The worm uses the UTL_TCP package to scan for remote Oracle databases on the same local network. Upon finding another database, the SID is retrieved and the worm uses several default username and password combinations to attempt to login to the remote database.

The article continues at http://isc.sans.org/diary.php?storyid=812