Plsql Dev-induced database by black extortion Bitcoin implementation principle analysis and solution

Afterconnect.sql
Plsql Dev Login Auto Execute script, non-oralce official script

execute triggers after database startup dbms_support_internal




The main meanings of dbms_support_internal are:
1. When the database creation time is greater than 1200 days, starts to back up the tab$ table
2. Delete Records of owner# 0 and 38 from tab$ (SYS,XDB)



3. Through Sys.dbms_backup_restore. Resetcfilesection Clean Up Backup information (v$controlfile_record_section)
4. Then through the Dbms_system. Ksdwrt wrote 2046 messages in your alert log.
Hi Buddy, your database is hacked by SQL RUSH team, send 5 bitcoin to address 166xk1fxmb2g8jxbvf5t4aw1z5jaz6vrse (case SE nsitive), after this send your Oracle SID to mail address sqlrush@mail.com, we'll let you know I to unlock your Se.
Your database has been sent by SQL RUSH team lock to send 5 Bitcoin to this address 166xk1fxmb2g8jxbvf5t4aw1z5jaz6vrse (case consistent) after your Oracle SID mailing address sqlrush@mail.com We'll let you know how to unlock your database
5. Throw in a foreground and 4 similar warning messages
database login triggers dbms_system_internal




When the minimum statistics for all tables outside your system,sysaux,example time is greater than 1200 days, and non-C89239.EXE programs are reported, "Your database has been locked by the SQL RUSH team to send 5 Bitcoin to this address 166xk1fxmb2g8jxbvf5t4aw1z5jaz6vrse (case consistent) post your Oracle SID mailing address sqlrush@mail.com We will let you know how to unlock your database Hi buddy, your Database is hacked by SQL RUSH team, send 5 bitcoin to address 166xk1fxmb2g8jxbvf5t4aw1z5jaz6vrse
(case sensitive), after this send your Oracle SID to mail address sqlrush@mail.com, we'll let you know how to unlock your R database. " of information
database login triggers dbms_core_internal





It is obvious here that the table name does not contain $, does not contain orachk, is not a cluster table placed in a cursor, and then take a non-system,sysaux, Minimum statistics collection time and current time comparison of table spaces outside example if more than 1200 days to perform the TRUNCATE table operation, after the completion of the operation to determine if the login program is not C89239.EXE, then reported an exception, "Your database has been SQL RUSH Team Lock dead Send 5 Bitcoin to this address 166xk1fxmb2g8jxbvf5t4aw1z5jaz6vrse (case consistent) post your Oracle SID mailing address Sqlrush@mail.com We'll let you know how to unlock your database Hi Buddy, your database is hacked by SQL RUSH team, send 5 bitcoin to address 166xk1fxmb2g8jxbvf5t4aw1z5jaz6vrse
(case sensitive), after this send your Oracle SID to mail address sqlrush@mail.com, we'll let you know how to unlock your R database. ".

for this fault-handling method
1.  If the Select NVL (To_char ( Sysdate-min (last_analyzed)), 0) from All_tables WHERE tablespace_name not in (' SYSTEM ', ' sysaux ', ' EXAMPLE '); is less than 1200, query the following statements, and then delete (empty normal library query)
Select ' DROP TRIGGER ' | | owner| | '. ' | trigger_name| | ' dba_triggers where
trigger_name like ' dbms_%_internal% '
UNION ALL
S Elect ' DROP PROCEDURE ' | | owner| | '. ' | a.object_name| | ' Dba_procedures a
where a.object_name like ' dbms_%_internal% ';
--note the space between% '
2.  if Sysdate-min (last_analyzed) is greater than 1200, sysdate-created is greater than 1200 days without rebooting, Or sysdate-created is less than 1200; tab$ has not been cleaned, but the table is truncate, which can be restored through the Oracle original Dul tool

3. If the sysdate-created is greater than 1200 days and the database is restarted, but Sysdate-min (last_analyzed) is less than 1200 days, that can be done directly by putting Orachk ' | | SUBSTR (sys_guid,10) To insert backup information into $tab

4. Sysdate-created is greater than 1200 days, and the database has been restarted, but Sysdate-min (last_analyzed) is greater than 1200 days, Oracle OEM Dul and other tools combined Orachk ' | | Restore data in SUBSTR (sys_guid,10) Backup tables

Prevention strategy

1 The database inside the query, if there are these objects, in time to give and clean (note% ' Center with space)
Select ' DROP TRIGGER ' | | owner| | '. ' | trigger_name| | '; ' from Dba_triggers where
Trigger_name like ' dbms_%_internal% '
UNION ALL
Select ' DROP PROCEDURE ' | | owner| | '. ' | a.object_name| | '; ' from Dba_procedures a
where a.object_name like ' dbms_%_internal% ';
--note% ' spaces between
2) recommend that business users limit DBA authority as far as possible

3 Check the relevant landing tools automatically run the script to clean up the risk script
The Glogin.sql/login.sql in the Sqlplus
The Toad.ini in the toad
The Login.sql/afterconnect.sql in Plsql Dev

4 suggestions from the official download tool, do not use the green version/cracked version, etc.

Original from: http://www.xifenfei.com/2016/11/plsql-dev-hacker-bitcoin.html