360安全公司处置过程:Oracle数据库勒索病毒RushQL死灰复燃
其他处置方式:https://blog.csdn.net/weixin_38467835/article/details/105261839
- 查询数据库创建时间又多少天了,这个病毒大于1200天才会执行
SELECT NVL(TO_CHAR(SYSDATE-MIN(LAST_ANALYZED)),0) FROM ALL_TABLES WHERE TABLESPACE_NAME NOT IN ('SYSTEM','SYSAUX','EXAMPLE');
1、查询异常存储过程和触发器
SELECT owner,created,object_name,object_type FROM dba_objects WHERE object_name LIKE '%DBMS_SUPPORT_INTERNAL%';
SELECT owner,created,object_name,object_type FROM dba_objects WHERE object_name LIKE '%DBMS_STANDARD_FUN9%';
SELECT owner,created,object_name,object_type FROM dba_objects WHERE object_name LIKE '%DBMS_SYSTEM_INTERNA%';
SELECT owner,created,object_name,object_type FROM dba_objects WHERE object_name LIKE '%DBMS_CORE_INTERNAL%';
SELECT owner,created,object_name,object_type FROM dba_objects WHERE object_name LIKE '%DBMS_SUPPORT_INTERNAL%';
SELECT owner,created,object_name,object_type FROM dba_objects WHERE object_name LIKE '%DBMS_SYSTEM_INTERNAL%';
SELECT owner,created,object_name,object_type FROM dba_objects WHERE object_name LIKE '%DBMS_CORE_INTERNAL%';
- 删除上面查询的存储过程和触发器
DROP PROCEDURE %DBMS_SUPPORT_INTERNAL%;
DROP PROCEDURE %DBMS_STANDARD_FUN9%;
DROP PROCEDURE %DBMS_SYSTEM_INTERNA%;
DROP PROCEDURE %DBMS_CORE_INTERNAL%;
DROP TRIGGER %DBMS_SUPPORT_INTERNAL%;
DROP TRIGGER %DBMS_SYSTEM_INTERNAL%;
DROP TRIGGER %DBMS_CORE_INTERNAL%;
如果报错,因为名称中存在空格,可以使用这种方式删除:
DROP PROCEDURE "DBMS_SUPPORT_INTERNAL ";
2、删除异常的jobs:
DELETE FROM dba_jobs WHERE schema_user='username' AND what LIKE '%truncate%';
这一过程可能会持续较长时间,本人查询出异常的job数量有四十多万个。
网友评论