windows MS08-067漏洞17个生产数据库同时现ORA-0..

环境：oracle 10.2.0.1 windows 2003 server

下午快下班时１７数据库陆续crash，发生此现象后马上进行数据库重新启动，有时连续数次都无法启动数据库，一共出现２６次（连续不成功算一次），Listener也经常出现启动失败。
重新启动数据库后仍然出现同样的问题，重新启动server后数据库能正常启动一段时间，但不久以出现同样的问题。
在alert_log里可以找到下面的提示：

Mon Jun 15 17:53:53 2009
Errors in file d:\oracle\product\10.2.0\admin\uuuuu\udump\uuuuu_ora_824.trc:
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [ACCESS_VIOLATION] [unable_to_trans_pc] [PC:0x7C96248B] [ADDR:0xB70F0CC4] [UNABLE_TO_READ] []
ORA-07445: exception encountered: core dump [ACCESS_VIOLATION] [unable_to_trans_pc] [PC:0x7C96248B] [ADDR:0xB70F0CC4] [UNABLE_TO_READ] []
OR

Mon Jun 15 17:53:54 2009
Errors in file d:\oracle\product\10.2.0\admin\uweb\udump\uweb_ora_824.trc:
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [] [] [] [] [] []
ORA-07445: exception encountered: core dump [ACCESS_VIOLATION] [unable_to_trans_pc] [PC:0x7C96248B] [ADDR:0xB70F0CC4] [UNABLE_TO_READ] []
ORA-07445: exception encountered: core dump [ACCESS_VIOLATION] [unable_to_trans_pc] [PC:0x7C96248B] [ADDR:0xB70F0CC4] [UNABLE_TO_READ] []
OR

为对数据库crash进行规避，将数据库从共享模式改为专用模式，相关语句如下：

alter system set dispatchers='' ;

alter system set shared_servers=0;

现象：数据库crash的现象明显减少。

参考metalink上找到两个类似的文档Doc ID:  422471.1和Doc ID:  405904.1

先根据文档修改Oracle的相关参数规避数据库的crash。

为减少和数据库和OS的交到，封锁OS登录数据库的认证：

在sqlnet.ora中，封住下面的语句：

# SQLNET.AUTHENTICATION_SERVICES = (NTS)

变更二：

为加快数据库对登录会话的响应，修改下面监听的参数

Sqlnet.ora中增加下面的语句

SQLNET.INBOUND_CONNECT_TIMEOUT = 0  ---默认是６０秒

在listener.ora中增加

INBOUND_CONNECT_TIMEOUT_LISTENER =0　---默认是６０秒

故障分析

在windows的事件查看器查找相关信息　事件查看器－》  应用程序－》查看－》筛选－》事件ID:1000，可以查到若干svchost.exe的报错，有以下特点：

2       有１５台机器在第一天的１７：１１这个时间点的前后一分钟都出现了svchost.exe的报错，以后再出现svchost.exe的报错也基本是多台机器同时产生的。

2       和oracle的alert_log结合分析，在svchost.exe出错不久，数据库出现ora-07445的错误接着就crash。

2       错误模块 kernel32.dll 错误地址 0x0010568f

在网上找到一篇文章的错误地址和这个错误地址完全一样：

http://www.jd100.net/gb/gbshow.asp?id=9259

解决方法:是windows MS08-067漏洞，打上KB958644即可。

在windows的下面两个网页中可以找到对这个漏洞的说明和解决办法。

http://www.microsoft.com/china/technet/security/bulletin/MS08-067.mspx

http://support.microsoft.com/kb/958644/zh-cn

可能是 W32.downadup.B型蠕虫病毒

参考文档：

Oracle　metalink　 Doc ID:  422471.1和Doc ID:  405904.1

Windows:

http://www.microsoft.com/china/technet/security/bulletin/MS08-067.mspx

http://support.microsoft.com/kb/958644/zh-cn

其它：

http://www.jd100.net/gb/gbshow.asp?id=9259