Database Reference
In-Depth Information
Data Files as Source of SQL Statements
The data files named *.dbf contain data persisted in the block until overwritten by new data, after the block has
been completely filled, which may take a long time. This fact can be useful for identifying objects that have been
deleted post-exploitation to cover up tracks; for instance, deleted DBlinks. This will only be the case until the block
is overwritten, which means that a quick response may well be needed to catch the deleted object. DBlinks are not
specifically announced in v$session, but this is where the third source of data on DB usage comes into play, because
on more recent versions of Oracle, DBlinks are recorded in SYS.AUD$.COMMENT$TEXT, as demonstrated from 11.2.0.1
to 11.2.0.2 below:
select userid, terminal, comment$text from sys.aud$ where comment$text like 'DBLINK%';
USERID NTIMESTAMP# USERHOST COMMENT$TEXT
------------ ----------------- ------- --------------
DBLINK_ACCOUNT 19-NOV-12 01.42.16.305194000 orlin DBLINK_INFO: (SOURCE_GLOBAL_NAME=orcl.4294967295)
DBLINK_ACCOUNT 19-NOV-12 01.42.17.086395000 orlin DBLINK_INFO: (SOURCE_GLOBAL_NAME=orcl.4294967295)
An immediate response to the above is: How does Oracle know they are incoming links? And the answer to this
is immediately viewable in a packet capture of a SELECT through a DBlink, as shown in the next figure. Basically, the
client tells the DB that the source is a DBlink, as can be seen in Figure 11-2 .
Figure 11-2. Network capture of DBlink showing new DBLINK_INFO field
 
Search WWH ::




Custom Search