Skip to content

关于Oracle数据库比特币敲诈的简单防御方法

由于17年到18年现在陆陆续续接到了不少新老客户的Oracle database受此类恶意脚本的攻击,我们也积累了一些防范此类问题的措施,在此篇中简单介绍2种容易的被动防御方法:

 

1.创建此类攻击脚本的对象名称进行占用(最简单最笨的方法)

 

DBMS_SUPPORT_INTERNAL

DBMS_SYSTEM_INTERNAL

DBMS_CORE_INTERNAL

对这三个对象名称进行占用处理。

 

2.对创建触发器的操作进行主动阻止

 

对主要的dba用户进行DDL操作的阻止,类似写法不再描述。

OBJ$表上索引有坏块导致部分业务失效的修复

这种问题的解决办法有好几种,根据数据量的大小以及业务是否允许停机的情况考虑,主要分以下几类救急办法:

一、坏块在索引上的位置判断

1.1如果坏块不多,而且坏块都在在索引比较靠前的位置(这个靠前的位置每个版本不一样,每个版本的对象数不一样),可以理解为在建库时候obj$自带索引的那个块最大地址就是属于考前的位置,当坏块在这个位置前面时候有一种比较便捷的处理方式,

就是通过创建一个一模一样的数据库,使用bbed copy(相比DD操作,操作起来超级简单又不容易出错)把对应坏块位置的块copy覆盖损坏的块,apply后即可(如果是在obj$表中的块那么记得修改下obj里对应的create time即可使数据库恢复正常,这个在前面有个案例描述过)。

 

1.2如果坏块是在索引靠后的位置或者坏块很多,索引的对象为后面创建的对象,那么这个时候就比较麻烦了,好在obj$的数据是完整的,

我的建议是采用2种方法,

1.2.1  采用屏蔽obj$索引的方法,具体需要修改基表,这个方法在前面文章中有描述。这个情况一般用在数据库比较大,比如数据量有几十个T,上百T或者业务不能接受长时间停机的情况

1.2.2 当数据库的数据量不大的时候,可以采用另外一种办法,使用exp来导出数据进行修复,一般这个时候exp工具是无法直接使用的,需要使用到catexp.sql这个脚本,具体的方法请查阅博客里的文章 Corruptions on OBJ$ indexes

 

Oracle bootstrap$ 说明

What is bootstrap?

Bootstrap is a technique for loading the first few instructions of a computer program into active memory and then using them to bring in the rest of the program.

What is bootstrap in Oracle ?

In Oracle, Bootstrap refers to loading of metadata (data dictionary) before we OPEN the database.Bootstrap objects are classified as the objects (tables / indexes / clusters) with the object_id below 56 as bootstrap objects.  These objects are mandatory to bring up an instance, as this contains the most important metadata of the database.

What happens on database startup?

This shall be explained by setting the SQL_TRACE while opening the database.Connect as sysdba and do the following
SQL> startup mount ;
SQL> alter session set events ‘10046 trace name context forever, level 12 ‘ ;
SQL> alter database open ;
SQL>  alter session set events ‘10046 trace name context off ‘ ;
SQL> ORADEBUG SETMYPID
SQL> ORADEBUG TRACEFILE_NAME
The sql_trace of the above process explains the following operations behind startup. The bootstrap operation happens between MOUNT stage and OPEN stage.
1.)  The first SQL after in the above trace shows the creation of the bootstrap$ table. Something similar to the following:
create table bootstrap$ ( line# number not null, obj# number not null, sql_text varchar2(4000) not null) storage (initial 50K objno 56 extents (file 1 block 377))
This sys.bootstrap$ table contains the DDL’s for other bootstrap tables (object_id below 56). Actually these tables were created internally by the time of database creation (by sql.bsq), The create DDL passed between MOUNT and OPEN stage will be executed through different driver routines. In simple words these are not standard CREATE DDLs.
While starting up the database oracle will load these objects into memory (shared_pool), (ie) it will assign the relevant object number and refer to the datafile and the block associated with that. And such operations happen only while warm startup.
 The internals of the above explained in ‘kqlb.c’.
2.)  Now a query executed against the sys.bootstrap$ table, which holds the create sql’s for other base tables.
select line#, sql_text from bootstrap$ where obj# != :1 (56)
Subsequently it will create those objects by running those queries.
Object number 0 – (System Rollback Segment)
Object number 2 to 55 (Other base tables)
Object number 1 is NOT used by any of the objects.
3.) Performs various operations to keep the bootstrap objects in consistent state.
Upon the successful completion of bootstrap the database will do the other tasks like recovery and will open the database.

Which objects are classified as bootstrap objects in oracle database?

Objects with data_object_id less than 56 are classified as core bootstrap objects.The objects are added to the bootstrap. The objects affected are :

hist_head$
histgrm$
i_hh_obj#_col#
i_hh_obj#_intcol#
i_obj#_intcol#
i_h_obj#_col#
c_obj#_intcol#
From 10.1 the following objects have been added:
fixed_obj$
tab_stats$
ind_stats$
i_fixed_obj$_obj#
i_tab_stats$_obj#
i_ind_stats$_obj#
object_usage
These additional objects shall be re-classified (or) ignored by following methods.
1. Opening the database in migrate mode
2. Using event 38003
Event 38003 affects the bootstrap process of loading the fixed cache in  kqlblfc(). Per default certain objects are marked as bootstrap objects (even though they are not defined as such in sys.bootstrap$) but by setting the event they will be left as non-bootstrapped.

What is bootstrap process failure? or  ORA-00704

This ORA-00704 error SERIOUS if reported at startup. This error refers to some problem during bootstrap operation. Any ORA-00704 error on STARTUP / RECOVER is serious, this error normally rose due to some inconsistency with the bootstrap segments (or) data corruption on bootstrap$ (or) any of the base tables below object_id  56. After this error it might not allow to open that database.

When ORA-00704 shall occur?

1. There is a probable of this error when any unsupported operations are tried to force open the database.
2. This error can also occur when system datafile has corrupted blocks. (ORA-01578)
3. In earlier releases of oracle (prior to 7.3.4 and 8.0.3) this issue shall arise due to Bug 434596
The option is to restore it from a good backup and recover it.
-> If the underlying cause is physical corruption that is due to hardware problems then do complete recovery.
-> If the issue is not relating to any physical corruption, then the problem could be due some unsupported actions on Bootstrap, and a Point In Time Recovery would be an option in such cas.

8月12,又一次遭遇比特币勒索病毒,变种。

在国内一个汽车制造商的生产库中碰到该类问题。

相对比16年的那次,病毒变种了,增加了额外2个存储过程。当时客户的生产库离1200天还不到2个小时,但是庆幸还有备份。

···所以悄悄的作弊了,改系统时间,备份恢复后对相关的触发器和存储过程进行删除后,系统恢复运行。但是建议客户进行datapump数据干净导出。

Corruptions on OBJ$ indexes。OBJ$上索引损坏的一种处理方式(数据量不大的时候,只要业务允许停机可以忽略数据量的考虑)

INTERNAL:Corruptions on OBJ$ indexes (Doc ID 39400.1)

 

To export a system when there are corruptions on indexes on OBJ$:

 

–     Take a FULL COLD BACKUP

 

–     Connect internal in SQLDBA and assuming your default tablespace is

SYSTEM and you have some free space:

 

create table pig$ as select * from obj$;

 

create unique index p_obj1 on pig$(obj#);

 

create unique index p_obj2 on pig$(owner#, name, namespace,

remoteowner, linkname);

 

 

–     Now edit the catexp.sql script (take a safe copy first).

This is generally located in the RDBMS/ADMIN directory.

 

Edit this to change ALL references to the table ‘OBJ$’

to now reference ‘PIG$’.

 

–     Connect internal in SQLDBA and run this new CATEXP.SQL

 

–     Perform a FULL export.

 

–     Shutdown the database and delete it.

 

–     Recreate the database from scratch with a CREATE DATABASE command.

Ensure you set up a second rollback segment for non-system

tablespace use on the import.

 

–     Perform a FULL import.