Attacking and Defending Informix

Informix, by default, listens on TCP port 1526. When doing a TCP port scan and seeing that 1526 is open on a server one could be forgiven for thinking it's running Oracle because Oracle can also often be found listening on TCP port 1526. The question is, can you work out whether you're dealing with Oracle or Informix without sending any data? Well, by looking at what other ports are open you can hazard a good guess. For example, installed with Informix is the Informix Storage Manager. This has a number of processes running and listening on various ports:

Process TCP Port
nsrmmdbd 7940
nsrmmd 7941
nsrexecd 7937
nsrexecd 7938
nsrd 7939

Windows servers also have portmap.exe listening on TCP port 111.

Chances are, if these ports are open, then you're looking at an Informix server. A good tip for new installs of Informix is not to use the standard TCP ports. While it is a security through obscurity “solution,” it's better than having none.

When clients first connect to the server they send an authentication packet. Here's a packet dump:

IP Header Length and version: 0x45 Type of service: 0x00 Total length: 407 Identifier: 44498 Flags: 0x4000 TTL: 128 Protocol: 6 (TCP) Checksum: 0xc9b8 Source IP: Dest IP: TCP Header Source port: 1367 Dest port: 1526 Sequence: 558073140 ack: 3526939382 Header length: 0x50 Flags: 0x18 (ACK PSH ) Window Size: 17520 Checksum: 0x0cae Urgent Pointer: 0 Raw Data 73 71 41 57 73 42 ...

Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.