ORA-600 16703故障,客户找人恢复数据库,数据库被进一步恶意破坏—ORA-00704 ORA-00922----惜分飞

有朋友找到我,数据库报ORA-600 16703错误,这个本来是一个比较常见的破坏故障(警告：互联网中有oracle介质被注入恶意程序导致—ORA-600 16703数据库启动报错如下:
 

---

修复tab$启动库报ORA-00704 ORA-00922错误

SQL> alter database Open; alter database Open * 第 1 行出现错误: ORA-01092: ORACLE instance terminated. Disconnection forced ORA-00704: bootstrap process failure ORA-00922: missing or invalid option 进程 ID: 1340 会话 ID: 191 序列号: 3

---

ORA-00704 ORA-00922是比较少见的错误,第一感觉bootstrap$损坏了,对数据库启动过程进行跟踪

PARSING IN CURSOR #11700472 len=600 dep=1 uid=0 oct=1 lid=0 tim=338738406773 hv=4034608779 ad='7ffdef83f360' sqlid='asgjp8bs7qgnb' CREATE TABLE UNDO$("US#" END OF STMT PARSE #11700472:c=0,e=361,p=0,cr=0,cu=0,mis=1,r=0,dep=1,og=4,plh=0,tim=338738406773 EXEC #11700472:c=0,e=73,p=0,cr=0,cu=0,mis=0,r=0,dep=1,og=4,plh=0,tim=338738406917 CLOSE #11700472:c=0,e=3,dep=1,type=0,tim=338738406997 ===================== PARSE ERROR #635423520:len=841 dep=1 uid=0 oct=1 lid=0 tim=338738407066 err=922 CREATE TABLE TS$<"TS#" NU ... ORA-00704: 引导程序进程失败 ORA-00922: 选项缺失或无效 ORA-00704: 引导程序进程失败 ORA-00922: 选项缺失或无效 *** 2023-05-17 19:27:51.813 USER (ospid: 1340): terminating the instance due to error 704 *** 2023-05-17 19:27:54.050 EXEC #11710688:c=0,e=2481834,p=16,cr=62,cu=0,mis=0,r=0,dep=0,og=1,plh=0,tim=338740646732 ERROR #11710688:err=1092 tim=338740646777

进一步分析bootstrap$表记录
 

---

通过上述分析,可以确认原库的CREATE TABLE TS$(“TS#”被人修改为CREATE TABLE TS$<“TS#”,通过观察客户机器以及和客户确认,客户找的技术人员上传了bbed工具,并进行了一些操作.基于上述信息,大概率是被人通过bbed工具把TS$(修改为了TS$<,从而使得数据库修复tab$之后也无法正常启动.