SQL> select returncode, action#, userid, userhost, terminal,timestamp
from aud$
RETURNCODE ACTION# USERID USERHOST TERMINAL
---------- ---------- -------- -------------------- --------------------
1017 100 SCOTT WPRATA-BR
1017 100 SCOTT WPRATA-BR
1017 100 SCOTT WPRATA-BR
ORA-1017的含义为错误的用户名口令。通过查看AUD$表可以清楚地看到WPRATA-BR尝试破译SCOTT的口令。可以通过下面一个存储过程来分析AUD$表,找出可疑的信息:
create or replace procedure AuditLogin(Since Varchar2,Times PLS_Integer)
is
USER_ID VARCHAR2(20);
cursor c1 is select userid,count(*) from sys.aud$ where returncode='1017' and timestamp#>=to_date(Since,'yyyy-mm-dd')
group by userid;
cursor C2 IS Select userhost, terminal,TO_CHAR(timestamp#,'YYYY-MM-DD:HH24:MI:SS')
from sys.aud$ WHERE returncode='1017' and times