Forum OpenACS Q&A: Response to Bugtraq: Oracle security
Also AFAIK no one's managed to root aol.com or digitalcity.com, so it's probably worth paying at least some attention to their advice. I'm sure they've been targets of many attempts (and maybe they've been rooted and neither they or we don't know it! aol.com might be the mother lode of warez distribution!)
As far as Oracle goes ... you talk to Oracle via the ora.c and the Oracle client library to the listener, which is running elsewhere (another process, another machine, whatever).
Ditto PG. The client library is linked with the driver and AOLserver, but it talks to the postmaster daemon (usually via localhost when things run on one machine, at least if you're smart).
So not all that much needs to go into your chroot()'d process.
When all is said and done the non-AOLserver stuff you forget to turn off is most likely to get you. I got rooted two weeks ago because I never got around to updating ssh on a server of mine (bad bad bad).
The good news is most of the script kiddies are just looking for someplace to dump pirated software in order to distribute it using your bandwidth. I've had several friends get rooted over the years (including photo.net, tee hee!) and the machines have never been taken down or harmed. Instead they start up ftp and you find your machine pegged running as many ftp downloads as it can handle without running out of swap space. Your system gets *very* slow.
I caught these guys before that happened to this particular server (two days after they broke in) and I'm pretty sure that's what they were up to. They didn't harm my site, database, etc. They installed a rootkit that included versions of ps and top that hid all but a handful of processes, and a hacked ssh that apparently lets you have root access with a known password (not roots real password).
When I discovered that they didn't do anything else because I shut it down and upgraded to a much newer set of software from the ground up before plugging in the internet hose again.
Of course, if they had gotten started my bandwidth bill could've been a major embarrassment ...