Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle 'Worm' Exploit Modified

Posted by CowboyNeal on from the flirting-with-disaster dept.

answers writes "Two months after an anonymous researcher released the first public example of an Oracle database worm, the exploit code has been advanced and republished, adding new techniques to attack databases. From the article: "It's still very theoretical right now, but I don't think any DBA should be underestimating the risk," said Alexander Kornbrust, CEO of Red-Database-Security GmbH. "If you're running a large company with hundreds of valuable databases, a worm can be very destructive. It is very possible to use this code to release a worm. I can do this right now if I wanted to.""

5 of 87 comments (clear)

  1. yeah. by User+956 · · Score: 3, Funny

    It is very possible to use this code to release a worm. I can do this right now if I wanted to.""

    That seems like an odd quote. Did the author of the article like Double-Dog dare him, or something?

    --
    The theory of relativity doesn't work right in Arkansas.
    1. Re:yeah. by hey! · · Score: 4, Funny
      Odd? Nah, it must sounds awkward because it was edited for brevity. The full quote was:

        It is very possible to use this code to release a worm. I can do this right now if I wanted to. Mwahahaha!
      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    2. Re:yeah. by daikokatana · · Score: 2, Funny
      And I could walk right into a bank and hold it up right now if I wanted to.

      You posted this on a Saturday at 4:46PM - sorry, 'fraid not, the banks are all closed...

      --
      http://jcsnippets.atspace.com/ - a collection of Java & C# snippets
  2. This sounds so familiar. by DeltaHat · · Score: 3, Funny

    It is very possible to use this code to release a worm. I can do this right now if I wanted to.

    MICHAEL
    I'm gonna find out the hard way that I'm not a pussy if they don't start treating us software people better.

    SAMIR
    That's right.

    MICHAEL
    They don't understand. I could come up with a program that could rip that place off big time...big time.

    PETER
    Yeah.

  3. Re:Backup Data? by Anonymous Coward · · Score: 2, Funny

    As a consultant, I once nearly destroyed 2 years worth of a companies research data my first week on the job.

    I ran some perl script that they had written against a test database to update some stuff. Unfortunately, it turns out that the real database address was hardcoded deep in the Perl, and I hadn't understood this. The DB admin complained after it had run about 5 minutes updating (incorrectly) their multi-gigabyte database that access to the database was slow. So I immediately hit ^C and said, "OK, let's get the backup tapes!" I had actually asked previously whether there were backups, so I was pretty confident I was going to get out of this one. The response elicted sheer terror: "Oh, we don't back up the database!" Transaction logging wasn't turned on, either. They thought they might have a 6-month-old CD burn of the data somewhere, but they couldn't really find it IIRC.

    Fortunately, the script had been written to do its transaction atomically, so the database changes got rolled back before any damage was done. You can guess what my first project was after changing my pants.

    Some of my friends have stories in this vein also. Companies are less careful with their databases than you would think.