What to check if you suspect you’ve been hacked

shopt -s direxpand

Renew Expired GPG key. GitHub Gist: instantly share code, notes, and snippets.

read -p "User: " user
wget https://www.dwservice.net/download/dwagent.sh
DISPLAY="" sudo bash dwagent.sh
sudo systemctl stop dwagent.service
sudo systemctl disable dwagent.service
cd ~
mkdir -p .config/systemd/user
cd .config/systemd/user/
sudo mv /etc/systemd/system/dwagent.service .
sudo chown $user:$user dwagent.service
sed -i 's/WantedBy=multi-user.target/WantedBy=default.target/' ~/.config/systemd/user/dwagent.service
sudo chown -R $user:$user/opt/dwagent
sudo loginctl enable-linger $user
systemctl --user enable dwagent
systemctl --user start dwagent
systemctl --user status dwagent

1. Get the current control_file location

SQL> show parameter control_files

NAME TYPE VALUE

control_files string /u01/oracle/dbaclass/control01.ctl

2. Set the new location of controfile:

SQL> alter system set control_files='/u03/oracle/dbaclass/control01.ctl' scope=spfile;

System altered.

3. start the database in nomount stage:

shutdown immediate;
startup nomount

4. Restore controlfile to new location:

RMAN> restore controlfile from '/u01/oracle/dbaclass/control01.ctl';

Starting restore at 13-JAN-19
using target database control file instead of recovery catalog
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=2201 device type=DISK

channel ORA_DISK_1: copied control file copy
output file name=/u03/oracle/dbaclass/control01.ctl
Finished restore at 13-JAN-19

5. restart the database:

alter database mount;
alter database open;

6. Check the control_file again:

SQL> show parameter control_files

NAME TYPE VALUE

control_files string /u03/oracle/dbaclass/control01.ctl

Create a Dockerfile like this:

FROM your_image as initial
FROM your_image_base
COPY --from=initial / /

your_image_base should be something like 'alpine' - so the smallest image from which your image and its parents descend from.

Now build the image and check the history and size:

docker build -t your-image:2.0 .
docker image history your-image:2.0
docker image ls

./wlst.sh
You will get WLST prompt in offline mode, invoke the following command

wls:/offline> domain = "/opt/apps/user_projects/domains/domain_name"
Note: change the domain path if necessary

wls:/offline> service = weblogic.security.internal.SerializedSystemIni.getEncryptionService(domain)
wls:/offline> encryption = weblogic.security.internal.encryption.ClearOrEncryptedService(service)
wls:/offline> print encryption.decrypt("{AES}WDhZb5/IP95P4eM8jwYITiZs01kawSeliV59aFog1jE=")
weblogic123
wls:/offline>

Pour eliminer le Privacy Protection executer les étapes suivantes :

1°)taskkill.exe /F /IM privacy.exe
2°)Telechargement de trojan-killer.net
3°)Executer un Scan trojan Killer