Attacking and Defending Informix
Informix, by default, listens on TCP port 1526. When doing a TCP port scan and seeing that 1526 is open on a server one could be forgiven for thinking it's running Oracle because Oracle can also often be found listening on TCP port 1526. The question is, can you work out whether you're dealing with Oracle or Informix without sending any data? Well, by looking at what other ports are open you can hazard a good guess. For example, installed with Informix is the Informix Storage Manager. This has a number of processes running and listening on various ports:
Windows servers also have portmap.exe listening on TCP port 111.
Chances are, if these ports are open, then you're looking at an Informix server. A good tip for new installs of Informix is not to use the standard TCP ports. While it is a security through obscurity “solution,” it's better than having none.
When clients first connect to the server they send an authentication packet. Here's a packet dump:
IP Header Length and version: 0x45 Type of service: 0x00 Total length: 407 Identifier: 44498 Flags: 0x4000 TTL: 128 Protocol: 6 (TCP) Checksum: 0xc9b8 Source IP: 192.168.0.34 Dest IP: 192.168.0.99 TCP Header Source port: 1367 Dest port: 1526 Sequence: 558073140 ack: 3526939382 Header length: 0x50 Flags: 0x18 (ACK PSH ) Window Size: 17520 Checksum: 0x0cae Urgent Pointer: 0 Raw Data 73 71 41 57 73 42 ...