Database Reference
In-Depth Information
Chapter 15
Rootkit Checker and Security
Monitoring
There are a lot of ways of backdooring a database. The earliest paper published on this, to my knowledge, was written
by Pete Finnigan in 2001. You can find it at:
Pete was followed by Chris Anley in 2002 with his SQL server equivalent:
The backdoor/rootkit concept for databases was expanded upon by Alexander Kornbrust in 2005 when he
published the following paper:
Then there is my own contribution in the form of SYSDBA backdoor, written in November 2007:
David Litchfield published on in-memory rootkits in December 2007:
Lastly, Laszlo Toth published on a variation of in-memory backdoors by showing how oradebug can be used by
SYS to turn off all authentication in Oracle, thus acting as a blanket backdoor (which harks back to Chris Anley's 2002
paper). Laszlo's presentation can be found at this URL:
It is interesting to note that it is very rare for a security audit to check that the wrong password does not gain
access, so a blanket backdoor could exist for a period of time without being found. A complete password audit will
check that use of an incorrect password
does
fail for each account.
As you can see, there is a body of knowledge that has evolved on database rootkits, but less often published is
information on how to detect them. This subject was first explored in my previous book,
Oracle Forensics,
in 2007
(page 292), and subsequently by Kevvie Fowler for SQL Server in 2008. During this chronological evolution, rootkit
detection was regarded as being a post-incident clean-up and investigation process that reacts to a hacking event,
