security issue

[kris123]

Hi Friends,

Our database is hacked by some malicious users. Im thinking some ways
of protecting it. Im browsing the network logs (listener.log) and i found out some illegal ip_addresses there. Is there a way to block these unknown ip_address at the database level or listener level?
Some info in the listener log paramaters that can be blocked are:
PROGRAM,HOST,USER,IP_ADDRESS.


Thanks a lot.

[abhaysk]

yes you can..

in sqlnet.ora file.. add these

TCP.VALIDNODE_CHECKING = YES

TCP.EXCLUDED_NODES = ( ip to block )

[stmontgo]

Originally posted by kris123
Hi Friends,

Our database is hacked by some malicious users. Im thinking some ways
of protecting it. Im browsing the network logs (listener.log) and i found out some illegal ip_addresses there. Is there a way to block these unknown ip_address at the database level or listener level?
Some info in the listener log paramaters that can be blocked are:
PROGRAM,HOST,USER,IP_ADDRESS.


Thanks a lot.

First go kick the crap out of your firewall admin

[kris123]

Hi Friends,

This is with regard to my security problems. Some malicious transactions are inserted, updated, deleted in our database. I'm suspecting one person (He is the developer of this outsourced apps).
He was the one who set-up the database before i came in.
He is allowed to login to the production database to repair or resolve some errors that comes out from his apps or of any users complaints. Its a part of the maintenance requirement. He got blessings from our manager because they are close friends too. Its really hard to monitor him because he knows his system very well.
Our office is from mondays to fridays (7am to 6pm) only.

This coming saturday he will be visiting again to make some updates/revisions and tests for some apps error. My boss instructed me to monitor his activities on the database.
We have an RS6000 AIX 4.3.3 DB Server with ORACLE 8.1.7.
We are in archivelog mode.

I planned to do the following:

1. Monitor his activities using the
archived logs and logminer.

Question: Are select statements recorded too in the archived logs?

2. On friday night (6pm) I will do (alter system flush shared_pool).
This is to erase all prevoius commands in the shared_pool and let
all his commands stay there and select/print it early monday
morning before end users logged in.

Question: Is this a valid idea?

3. Turn on auditing? ( by issuing the command: audit all)

3. What other activity can i do?

Thank you all

[smdakram]

I think even u can trace his SQL statement by enableing parameter in init.ora SQL_TRACE =true.

I HOPE IT WORK.

I HOW

[slimdave]

aside from the database stuff, you might put a key logger on the PC is will be using, just to improve your chances of proving misconduct.

[smdakram]

http://www.dbazine.com/larsen6.shtml
check out these for trace on ur SERVER MECHINE.

[kris123]

Thanks for ur response
*This developer sometimes, uses his own laptop to connect to the DB server.
*Im using oracle (not SQL SEVER)

[davey23uk]

simple, enable auditing

[kris123]

Thanks,

Im testing enabling auditing now....
I read auditing manuals again ang again, but i cant understand the command AUDIT ALL, and NOAUDIT ALL. I thought when i issue the command AUDIT ALL...it will audit everything in my database, say all by seesions, by access, by privileges and all select,insert,update,delete on all tables and schemas.
Im testing it right now but no audit is recorded on SYS.AUD$

Did I get it wrong?