[8939] in bugtraq
Re: Fw:"NERP" DoS attack possible in Oracle
daemon@ATHENA.MIT.EDU (Pablo Luis Bucich)
Tue Jan 5 04:26:39 1999
Date: Mon, 4 Jan 1999 15:18:30 -0300
Reply-To: Pablo Luis Bucich <pbucic@MECON.AR>
From: Pablo Luis Bucich <pbucic@MECON.AR>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <00f901be32ca$7e0c9910$091962d1@kilroy.ns.intexp.com>
Hello
I'v tested that in :
SQL*Netv2 at HPUX 10.20 with Oracle 7.3.3,
SQL*Netv2 at HPUX 9.04 with Oracle 7.1.4,
with zero & one SQL*Netv2 sessions opened, and there is no problem. tnslsnr
goes to sleep immediately when the telnet connection has closed.
Can be some previous load/resource problem ? Or OS-dependant ?
On Mon, 28 Dec 1998, Adam Maloney wrote:
> This was my original posting to NTBugtraq back in August.
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Adam Maloney
> Systems Administrator
> Internet Exposure
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> -----Original Message-----
> From: Adam Maloney <adam@iexposure.com>
> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
> Date: Thursday, August 27, 1998 12:27 PM
> Subject: "NERP" DoS attack possible in Oracle
>
>
> >NERP DoS attack for Oracle
> >
> >About two weeks ago I noticed that my NT machine was listening on port
> 1526.
> >I did not recognize this port number as a WKS, and it was not listed in
> NT's
> >services file, so I becamse suspicious. For lack of a better way, I
> >telnetted to the port to try and find out what it was:
> >
> >telnet localhost 1526
> >Connected to kilroy.intexp.com on port 1526
> >NERP
> >
> >Disconnected from kilroy.intexp.com
> >
> >As soon as I disconnected, my CPU usage jumped to 100%. Upon looking at
> >Taskman, I saw that a process named tnslsnr80.exe was the culprit. I could
> >not kill the process, and after waiting for about 5 minutes for it to go
> >away, I was forced to reboot my machine.
> >
> SNIP ...
> >
> >I am not 100% sure that this attack can be reproduced on anyone elses
> >systems. I can reproduce it on my test machine, but all of the people that
> >I had contacted, asking to try the exploit out have not gotten back to me
> at
> >all.
> >
> >BTW, a few people have asked me if NERP is significant...it is not, typing
> >any random garbage is sufficient. The NERP was just a sporadic random
> >thought.
> >
============================================================================
Ministerio de Economia y Obras y Servicios Publicos
Secretaria de Hacienda Tel : +54 1 349-6110
Pablo Luis Bucich Fax : +54 1 349-6505
Buenos Aires, Argentina e-mail : pbucic@mecon.ar
----------------------------------------------------------------------------
Windows 95: n. 32 bit extensions and a graphical shell for a 16 bit patch
to an 8 bit operating system originally coded for a 4 bit
microprocessor, written by a 2 bit company that can't stand
1 bit of competition.
"Winners don't use Windows" -- Windows: Just Say No