[tnp]

How can I change Oracle Password without having the old one?

thx a lot :D

[ch0pper]

what exploit are you using ?

[tnp]

that doesn't matter:
i need to know the old pw:
http://www.metrokc.gov/gis/kb/images/password.gif

or a other way :)

[Pro21]

if you change the old password like your screenshot, i think that is impossoble to know the olld password. The system update the password field then erase the old.
If somebody can confirm my repy :P

[Jumpi]

sorry, no confirm.
user:DBSNMP
pass:DBSNMP
works.
but: doesnt makes secure, there's a version of the exploit out without password so changing won't secure.

[BuzzDee]

if it is your OWN system then just apply the patch (i don't know 100% but i'm sure there is one out, yet). i think that shouldn't be too hard heh?
if it is NOT your own box (and i'm quite sure this is the case) better be quiet... <_<

[Jumpi]

on you own system (own, not owned) you could block port 2100 or switch the ftp off.
or, best one: use a firewall and you are a bit more secure

[DumpZ]

Well its probably not his own system because then i assume you could just reset the pass by using the SYSTEM user.

But own your own system just revoke all exec perms on users with weak passes i guess.

[r00t]

Hi,

How written by others. It depends on wich exploit you wanna secure there are some buffer overflows out there wich need only a working user !.
So maybe if possible you disable the DBSNMP User and the SYS user and change it with other names not standard names.

Other question : If its you server why you let the port 2100 opened to the net ?

Take an HW firewall like wrote before with nat and don't rout the port to the intern IP of the pc with oracle on it. So you are secured from attackers from the net.

....

maybe these helps a bit :D

[isaiah]

how do you know even that its a hacked from the net well it could be his server and hes just trying to change his passwords why does it always have to be like what you hacking or some other bull sh*t ...

[r00t]

isaiah, on Apr 6 2005, 02:19 PM, said:

how do you know even that its a hacked from the net well it could be his server and hes just trying to change his passwords why does it always have to be like what you hacking or some other bull sh*t ...

<{POST_SNAPBACK}>

I replyed to the topic : How To Secure Oracle?

So these is also one part of it i think. It also could be he forget his pw :D then he dont need thesse post. Only tipps in general to make it more secure. @ A firm we do IT there was a oracle server hacked :-(. So only a tip.

[isaiah]

ok let me just reply like this

to post of this topic if your oracle is vuln and you own oracle then you wont have any problem getting patch by going to oracle sites metalink and shit and getting it but if you hacker hacking some computer well you aint gonna patch it unless you got a nice user and pass for metalink to get patch..... have fun :D

[ShadowRun]

to clarify few things:

@DumpZ:But own your own system just revoke all exec perms on users with weak passes i guess.

the simpliest would be revoke connect

@Pro21
Oracle stores old passwords somewhere because you can specify in profile password policy(like for N times different passwords must be supplied)

@nebo:So maybe if possible you disable the DBSNMP User and the SYS user and change it with other names not standard names.

it's not possible to change system account names

@isaiah
metalink will not solve poor DB security
(i mean roles, grants, default passwords, unsecured listener etc.)
well secured one will not let you connect from outside
for example valid node checking will do the job for you and your FW ;)

@tnp
if it's your box simply:
sqlplus /nolog
connect / as sysdba
alter user system identified by newpass;
if not and you're asking for other way then you're asking for troubles
i will not help you

greetz

[Jumpi]

the box is vulnerable without a working pass so changing is no way. patch and install firewall.