Oracle勒索病毒故障恢复的案例分析

原创 已于 2025-06-05 10:51:43 修改 · 607 阅读 · 7 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#oracle #数据库 #勒索病毒 #灾难恢复

于 2025-06-05 10:18:38 首次发布

问题发现

        近期一个客户的数据库实例不能连接,帮忙查看之后发现是实例有如下报错:

Fri Apr 05 11:32:24 2024
Starting background process SMCO
Fri Apr 05 11:32:24 2024
SMCO started with pid=24, OS id=5520 
Completed: alter database open
Fri Apr 05 11:32:27 2024
Errors in file D:\APP\ADMINISTRATOR\diag\rdbms\orcl\orcl\trace\orcl_m004_5452.trc  (incident=99831):
ORA-00600: internal error code, arguments: [kgmfvmi#3], [], [], [], [], [], [], [], [], [], [], []
Incident details in: D:\APP\ADMINISTRATOR\diag\rdbms\orcl\orcl\incident\incdir_99831\orcl_m004_5452_i99831.trc
Use ADRCI or Support Workbench to package the incident.
See Note 411.1 at My Oracle Support for error and packaging details.
Errors in file D:\APP\ADMINISTRATOR\diag\rdbms\orcl\orcl\trace\orcl_m004_5452.trc  (incident=99832):
ORA-00600: internal error code, arguments: [kgmfvmi#3], [], [], [], [], [], [], [], [], [], [], []
Incident details in: D:\APP\ADMINISTRATOR\diag\rdbms\orcl\orcl\incident\incdir_99832\orcl_m004_5452_i99832.trc
Fri Apr 05 11:32:29 2024
Dumping diagnostic data in directory=[cdmp_20240405113229], requested by (instance=1, osid=5452 (M004)), summary=[incident=99831].
Use ADRCI or Support Workbench to package the incident.
See Note 411.1 at My Oracle Support for error and packaging details.
Exception [type: ACCESS_VIOLATION, UNABLE_TO_READ] [ADDR:0x10] [PC:0x1CBF7F9, kgmdelsis()+121]
ERROR: Unable to normalize symbol name for the following short stack (at offset 213):
dbgexProcessError()+200<-dbgeExecuteForError()+65<-dbgePostErrorKGE()+2269<-dbkePostKGE_kgsf()+77<-kgeade()+562<-kgerelv()+151<-kgerev()+45<-kgerec5()+60<-sss_xcpt_EvalFilterEx()+1862<-sss_xcpt_EvalFilter()+174<-.1.4_5+59<-00007FFCD1106506<-00007FFCD111A49D<-00007FFCD10AFD43<-00007FFCD111960A<-kgmdelsis()+121<-pfrouidc_inst_del_cleanup()+29<-pliodl()+726<-kgidlt()+265<-kgiCleanSessionState()+247<-PGOSF776_ksuxds()+1265<-kssdel()+191<-kssdch()+8182<-ksudlc()+325<-kssdel()+191<-ksupop()+831<-ksvrdp()+4559<-opirip()+904<-opidrv()+906<-sou2o()+98<-opimai_real()+280<-opimai()+191<-BackgroundThreadStart()+646<-00007FFCD0EC84D4<-00007FFCD10DE871
Errors in file D:\APP\ADMINISTRATOR\diag\rdbms\orcl\orcl\trace\orcl_m004_5452.trc  (incident=99833):
ORA-07445: exception encountered: core dump [kgmdelsis()+121] [ACCESS_VIOLATION] [ADDR:0x10] [PC:0x1CBF7F9] [UNABLE_TO_READ] []
ORA-00600: internal error code, arguments: [kgmfvmi#3], [], [], [], [], [], [], [], [], [], [], []
Incident details in: D:\APP\ADMINISTRATOR\diag\rdbms\orcl\orcl\incident\incdir_99833\orcl_m004_5452_i99833.trc
Use ADRCI or Support Workbench to package the incident.

        当发现如上报错后,客户尝试启动实例,结果报错如下:

Started redo scan
Completed redo scan
 read 0 KB redo, 0 data blocks need recovery
Started redo application at
 Thread 1: logseq 1367, block 2, scn 22801945
Recovery of Online Redo Log: Thread 1 Group 2 Seq 1367 Reading mem 0
  Mem# 0: D:\APP\ADMINISTRATOR\ORADATA\ORCL\REDO02.LOG
Completed redo application of 0.00MB
Completed crash recovery at
 Thread 1: logseq 1367, block 3, scn 22821947
 0 data blocks read, 0 data blocks written, 0 redo k-bytes read
Thread 1 advanced to log sequence 1368 (thread open)
Thread 1 opened at log sequence 1368
  Current log# 3 seq# 1368 mem# 0: D:\APP\ADMINISTRATOR\ORADATA\ORCL\REDO03.LOG
Successful open of redo thread 1
MTTR advisory is disabled because FAST_START_MTTR_TARGET is not set
SMON: enabling cache recovery
Errors in file D:\APP\ADMINISTRATOR\diag\rdbms\orcl\orcl\trace\orcl_ora_5872.trc  (incident=171810):
ORA-00600: ??????, ??: [16703], [1403], [20], [], [], [], [], [], [], [], [], []
Incident details in: D:\APP\ADMINISTRATOR\diag\rdbms\orcl\orcl\incident\incdir_171810\orcl_ora_5872_i171810.trc
Use ADRCI or Support Workbench to package the incident.
See Note 411.1 at My Oracle Support for error and packaging details.
Errors in file D:\APP\ADMINISTRATOR\diag\rdbms\orcl\orcl\trace\orcl_ora_5872.trc:
ORA-00704: ????????
ORA-00704: ????????
ORA-00600: ??????, ??: [16703], [1403], [20], [], [], [], [], [], [], [], [], []
Errors in file D:\APP\ADMINISTRATOR\diag\rdbms\orcl\orcl\trace\orcl_ora_5872.trc:
ORA-00704: ????????
ORA-00704: ????????
ORA-00600: ??????, ??: [16703], [1403], [20], [], [], [], [], [], [], [], [], []
Error 704 happened during db open, shutting down database
USER (ospid: 5872): terminating the instance due to error 704
Instance terminated by USER, pid = 5872
ORA-1092 signalled during: alter database open...
opiodr aborting process unknown ospid (5872) as a result of ORA-1092
Sun Apr 07 08:15:39 2024
ORA-1092 : opitsk aborting process

        对应的trc日志如下:

Trace file D:\APP\ADMINISTRATOR\diag\rdbms\orcl\orcl\trace\orcl_ora_5872.trc
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Windows NT Version V6.2  
CPU                 : 4 - type 8664, 2 Physical Cores
Process Affinity    : 0x0x0000000000000000
Memory (Avail/Total): Ph:12217M/16383M, Ph+PgF:7342M/16399M 
Instance name: orcl
Redo thread mounted by this instance: 1
Oracle process number: 19
Windows thread id: 5872, image: ORACLE.EXE (SHAD)


*** 2024-04-07 08:15:35.548
*** SESSION ID:(3394.3) 2024-04-07 08:15:35.548
*** CLIENT ID:() 2024-04-07 08:15:35.548
*** SERVICE NAME:() 2024-04-07 08:15:35.548
*** MODULE NAME:(oradim.exe) 2024-04-07 08:15:35.548
*** ACTION NAME:() 2024-04-07 08:15:35.548
 
Successfully allocated 3 recovery slaves
Using 45 overflow buffers per recovery slave
Thread 1 checkpoint: logseq 1367, block 2, scn 22801945
    on-disk rba: logseq 1365, block 6245, scn 22761936
  start recovery at logseq 1367, block 2, scn 22801945

*** 2024-04-07 08:15:35.595
Started writing zeroblks thread 1 seq 1367 blocks 3-10

*** 2024-04-07 08:15:35.595
Completed writing zeroblks thread 1 seq 1367
==== Redo read statistics for thread 1 ====
Total physical reads (from disk and memory): 4096Kb
-- Redo read_disk statistics --
Read rate (ASYNC): 0Kb in 0.04s => 0.01 Mb/sec
Longest record: 0Kb, moves: 0/1 (0%)
Longest LWN: 0Kb, moves: 0/1 (0%), moved: 0Mb
Last redo scn: 0x0000.015bee1a (22801946)
----------------------------------------------
----- Recovery Hash Table Statistics ---------
Hash table buckets = 262144
Longest hash chain = 0
Average hash chain = 0/0 = 0.0
Max compares per lookup = 0
Avg compares per lookup = 0/0 = 0.0
----------------------------------------------

*** 2024-04-07 08:15:35.611
KCRA: start recovery claims for 0 data blocks

*** 2024-04-07 08:15:35.611
KCRA: blocks processed = 0/0, claimed = 0, eliminated = 0

*** 2024-04-07 08:15:35.611
Recovery of Online Redo Log: Thread 1 Group 2 Seq 1367 Reading mem 0

*** 2024-04-07 08:15:35.611
Completed redo application of 0.00MB

*** 2024-04-07 08:15:35.626
Completed recovery checkpoint
----- Recovery Hash Table Statistics ---------
Hash table buckets = 262144
Longest hash chain = 0
Average hash chain = 0/0 = 0.0
Max compares per lookup = 0
Avg compares per lookup = 0/0 = 0.0
----------------------------------------------
Recovery sets nab of thread 1 seq 1367 to 3 with 8 zeroblks

*** 2024-04-07 08:15:36.173
Incident 171810 created, dump file: D:\APP\ADMINISTRATOR\diag\rdbms\orcl\orcl\incident\incdir_171810\orcl_ora_5872_i171810.trc
ORA-00600: ??????, ??: [16703], [1403], [20], [], [], [], [], [], [], [], [], []

ORA-00704: ????????
ORA-00704: ????????
ORA-00600: ??????, ??: [16703], [1403], [20], [], [], [], [], [], [], [], [], []
ORA-00704: ????????
ORA-00704: ????????
ORA-00600: ??????, ??: [16703], [1403], [20], [], [], [], [], [], [], [], [], []

*** 2024-04-07 08:15:37.064
USER (ospid: 5872): terminating the instance due to error 704

问题分析:

        好家伙,又是经典的ORA-600 16703 1403 20 这个报错,这个报错只会在中国地区出现,这是那个数据库安装介质被植入了木马病毒,数据库创建时间超过300天,重启数据库时就会清空tab$基表。

解决思路:

备份恢复:

        对于这种问题,有备份是最好的处理的,如果是逻辑备份,直接恢复到其他数据库,这样恢复出来的实例可能会丢失一些数据;如果是rman介质备份,可以先尝试恢复system表空间,恢复之后做recover操作,recover操作完成之后重建控制文件,做完以上操作之后再打开数据库。

BBED替换块:

        如果没有备份,那就需要用bbed工具进行修复,客户出问题的库是在windows平台,10G开始windows平台上的bbed安装比较麻烦,这里选择把system表空间文件传输到linux平台,然后在linux平台上编译bbed,最终完整损坏文件的修复。

编译bbed

        可以先在linux平台上编译bbed,编译之前需要先从10G安装介质中提取库文件(因为从11g开始,安装目录不带这些文件),抽取方式如下:

[root@centos7 ~]# su - ora10G
Last login: Sun Apr  7 11:11:51 CST 2024 on pts/2
[ora10G@centos7 ~]$ cd database
[ora10G@centos7 database]$ for jar in $(find . -type f -name "*.jar"|grep rdbms);do
> jar -tvf $jar | grep sbbd && echo $jar
> done
  1863 Sat Sep 17 19:59:24 CST 2005 rdbms/lib/sbbdpt.o
  1191 Sat Sep 17 19:59:28 CST 2005 rdbms/lib/ssbbded.o
./stage/Components/oracle.rdbms/10.2.0.1.0/1/DataFiles/filegroup33.jar
  3043 Thu Sep 08 03:43:08 CST 2005 rdbms/lib32/sbbdpt.o
  2721 Thu Sep 08 03:43:08 CST 2005 rdbms/lib32/ssbbded.o
./stage/Components/oracle.rdbms.hybrid/10.2.0.1.0/1/DataFiles/filegroup1.jar
[ora10G@centos7 database]$ ls
doc  install  response  runInstaller  stage  welcome.html
[ora10G@centos7 database]$ jar -xvf ./stage/Components/oracle.rdbms/10.2.0.1.0/1/DataFiles/filegroup33.jar
 inflated: rdbms/lib/dmndm.o
 inflated: rdbms/lib/dmndmse.o
 inflated: rdbms/lib/hoaoci.o
 inflated: rdbms/lib/hoat.o
 inflated: rdbms/lib/hoax.o
 inflated: rdbms/lib/homts.o
 inflated: rdbms/lib/horm.o
 inflated: rdbms/lib/hormc.o
 inflated: rdbms/lib/hormd.o
 inflated: rdbms/lib/hormt.o
 inflated: rdbms/lib/hout.o
 inflated: rdbms/lib/hsxaora.o
 inflated: rdbms/lib/jox.o
 inflated: rdbms/lib/joxoff.o
 inflated: rdbms/lib/kciwcx.o
 inflated: rdbms/lib/kcsm.o
 inflated: rdbms/lib/kfod.o
 inflated: rdbms/lib/kkxntp.o
 inflated: rdbms/lib/kkxwtp.o
 inflated: rdbms/lib/kopc.o
 inflated: rdbms/lib/kprnts.o
 inflated: rdbms/lib/kprwts.o
 inflated: rdbms/lib/kpucb.o
 inflated: rdbms/lib/ksms.o
 inflated: rdbms/lib/ksnkcs.o
 inflated: rdbms/lib/ksnktd.o
 inflated: rdbms/lib/ksnnni.o
 inflated: rdbms/lib/ksnnt2.o
 inflated: rdbms/lib/ktd.o
 inflated: rdbms/lib/kzlnlbac.o
 inflated: rdbms/lib/libknlopt.a
 inflated: rdbms/lib/libperfsrv10.a
 inflated: rdbms/lib/libdsga10.a
 inflated: rdbms/lib/libskgxns.a
 inflated: rdbms/lib/libodm10.a
 inflated: rdbms/lib/libqsmashr.a
 inflated: rdbms/lib/opimai.o
 inflated: rdbms/lib/s0kudbv.o
 inflated: rdbms/lib/s0kuzr.o
 inflated: rdbms/lib/sbbdpt.o
 inflated: rdbms/lib/shou.o
 inflated: rdbms/lib/shorm.o
 inflated: rdbms/lib/skfedpt.o
 inflated: rdbms/lib/skfodpt.o
 inflated: rdbms/lib/skrspt.o
 inflated: rdbms/lib/ssbbded.o
 inflated: rdbms/lib/sskfeded.o
 inflated: rdbms/lib/sskfoded.o
 inflated: rdbms/lib/sskrned.o
 inflated: rdbms/lib/sskrsed.o
 inflated: rdbms/lib/ssoraed.o
 inflated: rdbms/lib/sstrced.o
 inflated: rdbms/lib/strcpt.o
 inflated: rdbms/lib/ttcoerr.o
 inflated: rdbms/lib/ttcsoi.o
 inflated: rdbms/lib/xsnoolap.o
 inflated: rdbms/lib/genksms.o
[ora10G@centos7 database]$ ls
doc  install  rdbms  response  runInstaller  stage  welcome.html
[ora10G@centos7 database]$ cp rdbms/lib/sbbdpt.o ..
[ora10G@centos7 database]$ cp rdbms/lib/ssbbded.o ..
[ora10G@centos7 database]$ cd ..
[ora10G@centos7 ~]$ cd database
[ora10G@centos7 database]$ for jar in $(find . -type f -name "*.jar"|grep rdbms);do
> jar -tvf $jar | grep bbedus && echo $jar
> done
  8704 Fri Sep 09 09:46:10 CST 2005 rdbms/mesg/bbedus.msb
 10270 Tue Jul 25 19:32:00 CST 2000 rdbms/mesg/bbedus.msg
./stage/Components/oracle.rdbms.util/10.2.0.

        抽取完成之后,详细编译方法如下:

[root@centos7 ora10G]# cp sbbdpt.o ssbbded.o  /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/
[root@centos7 ora10G]# chown oracle:oinstall /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/sbbdpt.o 
[root@centos7 ora10G]# chown oracle:oinstall /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/ssbbded.o 
[root@centos7 ora10G]# chown oracle:oinstall bbedus.ms*
[root@centos7 ora10G]# cp bbedus.ms* /u01/app/oracle/product/11.2.0/db_1/rdbms/mesg/
[root@centos7 ora10G]# su - oracle
Last login: Sun Apr  7 11:22:14 CST 2024 on pts/0
[oracle@centos7 ~]$ make -f $ORACLE_HOME/rdbms/lib/ins_rdbms.mk BBED=$ORACLE_HOME/bin/bbed $ORACLE_HOME/bin/bbed

Linking BBED utility (bbed)
rm -f /u01/app/oracle/product/11.2.0/db_1/bin/bbed
gcc -o /u01/app/oracle/product/11.2.0/db_1/bin/bbed -m64 -z noexecstack -L/u01/app/oracle/product/11.2.0/db_1/rdbms/lib/ -L/u01/app/oracle/product/11.2.0/db_1/lib/ -L/u01/app/oracle/product/11.2.0/db_1/lib/stubs/  /u01/app/oracle/product/11.2.0/db_1/lib/s0main.o /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/ssbbded.o /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/sbbdpt.o `cat /u01/app/oracle/product/11.2.0/db_1/lib/ldflags`    -lncrypt11 -lnsgr11 -lnzjs11 -ln11 -lnl11 -ldbtools11 -lclntsh  `cat /u01/app/oracle/product/11.2.0/db_1/lib/ldflags`    -lncrypt11 -lnsgr11 -lnzjs11 -ln11 -lnl11 -lnro11 `cat /u01/app/oracle/product/11.2.0/db_1/lib/ldflags`    -lncrypt11 -lnsgr11 -lnzjs11 -ln11 -lnl11 -lnnz11 -lzt11 -lztkg11 -lclient11 -lnnetd11  -lvsn11 -lcommon11 -lgeneric11 -lmm -lsnls11 -lnls11  -lcore11 -lsnls11 -lnls11 -lcore11 -lsnls11 -lnls11 -lxml11 -lcore11 -lunls11 -lsnls11 -lnls11 -lcore11 -lnls11 `cat /u01/app/oracle/product/11.2.0/db_1/lib/ldflags`    -lncrypt11 -lnsgr11 -lnzjs11 -ln11 -lnl11 -lnro11 `cat /u01/app/oracle/product/11.2.0/db_1/lib/ldflags`    -lncrypt11 -lnsgr11 -lnzjs11 -ln11 -lnl11 -lclient11 -lnnetd11  -lvsn11 -lcommon11 -lgeneric11   -lsnls11 -lnls11  -lcore11 -lsnls11 -lnls11 -lcore11 -lsnls11 -lnls11 -lxml11 -lcore11 -lunls11 -lsnls11 -lnls11 -lcore11 -lnls11 -lclient11 -lnnetd11  -lvsn11 -lcommon11 -lgeneric11 -lsnls11 -lnls11  -lcore11 -lsnls11 -lnls11 -lcore11 -lsnls11 -lnls11 -lxml11 -lcore11 -lunls11 -lsnls11 -lnls11 -lcore11 -lnls11   `cat /u01/app/oracle/product/11.2.0/db_1/lib/sysliblist` -Wl,-rpath,/u01/app/oracle/product/11.2.0/db_1/lib -lm    `cat /u01/app/oracle/product/11.2.0/db_1/lib/sysliblist` -ldl -lm   -L/u01/app/oracle/product/11.2.0/db_1/lib
[oracle@centos7 ~]$ 


[oracle@server1 ~]$ bbed
Password: blockedit     //默认密码
BBED: Release 2.0.0.0.0 - Limited Production on Wed Jul 29 23:46:35 2020
Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.
************* !!! For Oracle Internal Use only !!! ***************
BBED>
配置bbed
#注意1号文件为损坏的文件,18号文件为同平台正常的文件
[oracle@centos7 hf]$ cat par.bbed
blocksize=8192
listfile=bbedfile.txt
mode=edit
PASSWORD=blockedit
[oracle@centos7 hf]$ cat cmd.par
set count 64
set width 160
[oracle@centos7 hf]$ cat bbedfile.txt 
1	/home/oracle/hf/SYSTEM01.DBF
18	/home/oracle/hf/O1_MF_SYSTEM_M14J9X0K_.DBF
简单查看
[oracle@centos7 hf]$ bbed parfile=par.bbed

BBED: Release 2.0.0.0.0 - Limited Production on Mon Apr 8 10:29:09 2024

Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.

************* !!! For Oracle Internal Use only !!! ***************

BBED> show all
	FILE#          	1
	BLOCK#         	1
	OFFSET         	0
	DBA            	0x00400001 (4194305 1,1)
	FILENAME       	/home/oracle/hf/SYSTEM01.DBF
	BIFILE         	bifile.bbd
	LISTFILE       	bbedfile.txt
	BLOCKSIZE      	8192
	MODE           	Edit
	EDIT           	Unrecoverable
	IBASE          	Dec
	OBASE          	Dec
	WIDTH          	80
	COUNT          	512
	LOGFILE        	log.bbd
	SPOOL          	No

BBED> info 
 File#  Name                                                        Size(blks)
 -----  ----                                                        ----------
     1  /home/oracle/hf/SYSTEM01.DBF                                         0
    18  /home/oracle/hf/O1_MF_SYSTEM_M14J9X0K_.DBF                           0

BBED>
使用bbed替换块:

生成批量脚本:

在做这个替换之前一定要保留一个原始故障的system文件副本!!!


SQL> SELECT DISTINCT 'copy file 18 block ' || block_id || ' to file ' || FILE_ID ||
  2                  ' block ' || BLOCK_ID
  3    FROM (SELECT a.OBJ#,
  4                 TAB#,
  5                 a.DATAOBJ#,
  6                 BOBJ#,
  7                 NAME,
  8                 DBMS_ROWID.ROWID_RELATIVE_FNO(a.ROWID) FILE_ID,
  9                 DBMS_ROWID.ROWID_BLOCK_NUMBER(a.ROWID) BLOCK_ID
 10            FROM TAB$ a, obj$ b
 11           WHERE a.obj# = b.obj#
 12             AND A.OBJ# IN (10,
 13                    101,
 14                    103,
 15                    104,
 16                    105,
 17                    118,
 18                    12939,
 19                    1297,
 20                    12973,
 21                    1300,
 22                    13003,
 23                    1302,
 24                    1304,
 25                    13059,
 26                    1306,
 27                    1307,
 28                    1309,
 29                    1314,
 30                    13273,
 31                    13298,
 32                    13604,
 33                    14,
 34                    14137,
 35                    15,
 36                    16,
 37                    160,
 38                    161,
 39                    17,
 40                    18,
 41                    19,
 42                    192,
 43                    2,
 44                    20,
 45                    21,
 46                    22,
 47                    221,
 48                    222,
 49                    223,
 50                    225,
 51                    226,
 52                    227,
 53                    228,
 54                    23,
 55                    246,
 56                    248,
 57                    25,
 58                    250,
 59                    252,
 60                    28,
 61                    29,
 62                    294,
 63                    297,
 64                    300,
 65                    301,
 66                    302,
 67                    304,
 68                    307,
 69                    31,
 70                    311,
 71                    32,
 72                    375,
 73                    390,
 74                    4,
 75                    433,
 76                    436,
 77                    438,
 78                    446,
 79                    448,
 80                    451,
 81                    453,
 82                    455,
 83                    463,
 84                    5,
 85                    506,
 86                    514,
 87                    515,
 88                    517,
 89                    5541,
 90                    5582,
 91                    567,
 92                    5780,
 93                    5794,
 94                    5797,
 95                    5804,
 96                    5814,
 97                    587,
 98                    59,
 99                    6,
100                    61,
101                    6571,
102                    6731,
103                    68,
104                    68829,
105                    69,
106                    713,
107                    7144,
108                    717,
109                    721,
110                    74,
111                    75315,
112                    8,
113                    80,
114                    80591,
115                    83,
116                    83746,
117                    86,
118                    87892,
119                    87898,
120                    88,
121                    92,
122                    95,
123                    98,
124                    99))
125   order by 1;

'COPYFILE18BLOCK'||BLOCK_ID||'TOFILE'||FILE_ID||'BLOCK'||BLOCK_ID
-----------------------------------------------------------------------------------------------------------------------------------------------------------
copy file 18 block 13332 to file 1 block 13332
copy file 18 block 13344 to file 1 block 13344
copy file 18 block 13367 to file 1 block 13367
copy file 18 block 145 to file 1 block 145
copy file 18 block 146 to file 1 block 146
copy file 18 block 147 to file 1 block 147
copy file 18 block 148 to file 1 block 148
copy file 18 block 149 to file 1 block 149
copy file 18 block 150 to file 1 block 150
copy file 18 block 152 to file 1 block 152
copy file 18 block 153 to file 1 block 153
copy file 18 block 154 to file 1 block 154
copy file 18 block 155 to file 1 block 155
copy file 18 block 156 to file 1 block 156
copy file 18 block 158 to file 1 block 158
copy file 18 block 159 to file 1 block 159
copy file 18 block 160 to file 1 block 160
copy file 18 block 163 to file 1 block 163
copy file 18 block 165 to file 1 block 165
copy file 18 block 166 to file 1 block 166
copy file 18 block 167 to file 1 block 167
copy file 18 block 22500 to file 1 block 22500
copy file 18 block 22503 to file 1 block 22503
copy file 18 block 22505 to file 1 block 22505
copy file 18 block 22508 to file 1 block 22508
copy file 18 block 22517 to file 1 block 22517
copy file 18 block 22518 to file 1 block 22518
copy file 18 block 31491 to file 1 block 31491
copy file 18 block 31513 to file 1 block 31513
copy file 18 block 31548 to file 1 block 31548
copy file 18 block 3337 to file 1 block 3337
copy file 18 block 3339 to file 1 block 3339
copy file 18 block 3341 to file 1 block 3341
copy file 18 block 4396 to file 1 block 4396
copy file 18 block 66099 to file 1 block 66099
copy file 18 block 74445 to file 1 block 74445
copy file 18 block 78077 to file 1 block 78077
copy file 18 block 7913 to file 1 block 7913
copy file 18 block 94349 to file 1 block 94349
copy file 18 block 9951 to file 1 block 9951
copy file 18 block 9953 to file 1 block 9953
copy file 18 block 9962 to file 1 block 9962
copy file 18 block 9964 to file 1 block 9964

已选择43行。

编辑parfile文件,批量执行:


bbed parfile=/home/oracle/hf/par.bbed cmdfile=/home/oracle/hf/copy_bbed.txt

sum apply    --执行完成之后记得sum apply

BBED反转删除FLAG

        有些时候,可能是出故障时某些块发生了行迁移或者延迟事务,导致上述方法不生效,即使找到了同平台的system文件进行同位置的块替换,但是打开数据库的时候还是一堆报错,再接着处理就更麻烦。

        这个时候我们可以根据记录删除的flag标签进行定位,一般被删除(delete)的flag为0x3c

SQL> conn /as sysdba
Connected.
SQL> alter system dump datafile 5 block 3252;

System altered.

SQL> oradebug setmypid
Statement processed.
SQL> oradebug tracefile_name
/u01/app/oracle/admin/orcl/udump/orcl_ora_6106.trc
SQL>!more /u01/app/oracle/admin/orcl/udump/orcl_ora_6106.trc


---有关row的信息如下
block_row_dump:
tab 0, row 0, @0x1db0
tl: 8 fb: --H-FL-- lb: 0x0  cc: 2
col  0: [ 1]  80
col  1: [ 2]  79 79
tab 0, row 1, @0x1db8
tl: 8 fb: --H-FL-- lb: 0x0  cc: 2
col  0: [ 1]  80
col  1: [ 2]  79 79
tab 0, row 2, @0x1dc0
tl: 8 fb: --H-FL-- lb: 0x0  cc: 2
col  0: [ 1]  80
col  1: [ 2]  79 79
tab 0, row 3, @0x1dc8
........
........
tab 0, row 332, @0x152f          --第332条数据
tl: 9 fb: --H-FL-- lb: 0x2  cc: 2
col  0: [ 2]  c1 02
col  1: [ 2]  78 7a              --第332条数据的name值78 7a 为 'xz'
end_of_block_dump


注意这里的fb: --H-FL--。 其有8个选项,每个值分别与bitmask 对应。

如果一个row 没有被删除,那么它的Flag 表示为:--H-FL--. 这里的字母分别代表属性的首字母。其对应的值:32 + 8 + 4 =44 or 0x2c

如果一个row 被delete了,那么它的Flag 表示为:--HDFL--. bitmask里的deleted 被设置为16. 其对应的值:32 + 16 + 8 + 4 = 60 or 0x3c

        既然知道有这个特性,接下来我们就需要限定需要扫描的块,然后把所有符合“删除flag”特征的记录偏移给找出来,最后再通过bbed反向修改一下就可以了。

确定需要扫描的块:

一般都是都dba1,144开始

bbed反向修改:

$head recovery.txt

在做这个修改之前一定要保留一个原始故障的system文件副本!!!


assign /x dba 4194449 offset 7833 = 0x5c
assign /x dba 4194449 offset 7745 = 0x5c
assign /x dba 4194449 offset 7632 = 0x5c
assign /x dba 4194449 offset 7512 = 0x5c
assign /x dba 4194449 offset 7378 = 0x5c
assign /x dba 4194449 offset 7266 = 0x5c
assign /x dba 4194449 offset 7138 = 0x5c
assign /x dba 4194450 offset 5678 = 0x5c
assign /x dba 4194450 offset 7882 = 0x5c
assign /x dba 4194450 offset 7790 = 0x5c

        

最后打开数据库,导出用户的业务数据,最后进行重建即可。

问题总结:

1、严格控制安装介质,不要从网上找那些来路不明的安装包

2、做好日常备份,逻辑备份和物理备份都要做

3、做好单系统的高可用,使用DG或者ogg逻辑同步

4、灾难发生后第一时间保留现场,不要瞎操作造成二次破坏,及时联系专业人员急求。

更多修复信息联系微信-W15938793583

数据库中了勒索病毒怎么办?(数据库恢复的终极大招DUL)
xiaofan23z的专栏
04-09 2352
数据库如何预防勒索病毒 接上文,如果数据库中了勒索病毒,并且备份也同样被攻陷,那该怎么办?以最为常见的Lockbit3.0为例,LockBit采用先进的加密算法,通常是对称密钥加密和非对称密钥加密的组合。这使得被感染的系统中的文件无法被正常访问,想破解几乎是不可能的。只能支付赎金来获取解密工具来解密!如果你的数据库勒索病毒加密,又不想缴纳昂贵的赎金?如何最大限度的恢复数据呢?这里就会使用到oracle数据恢复的最终大招了DUL(Data Unloader)!DUL是Data Unloader的缩写,Or
三甲医院等级评审八维数据分析应用(六)--数据安全与隐私保护篇
最新发布
AllenLV的博客
01-06 2043
三甲医院等级评审是一套全面且严谨的医院综合实力评定体系,涵盖医疗服务、医疗技术、医院管理、人才队伍等多维度内容。其评审标准依据国家卫生健康委颁布的相关文件及细则执行,以确保评定的权威性与科学性。从医疗服务维度看,包括门诊服务流程优化、住院患者诊疗服务质量提升、患者出院随访制度落实等方面。门诊服务要求预约诊疗精准高效,分时段预约挂号精确到 30 分钟以内,现场挂号排队时间不超过 15 分钟;
中招ORACLE比特币勒索病毒——处理过程详解
liuzhilong的博客
06-12 3144
oracle数据库中比特币勒索病毒。本文章详述病毒中毒原理和清理过程,对于勒索病毒事件处理可以直接参考
Oracle_勒索病毒解决方案
ckth47350的博客
03-13 1768
Oracle_勒索病毒解决方案 Oracle:11.2.0.1.0 OS:Windows Server 2008 问题: 数据库服务器上大多数文件被加密,包括Oracle软件...
Oracle 数据库勒索病毒 RushQL 处理办法
Peter 的博客
12-10 1488
Oracle 数据库勒索病毒 RushQL 处理办法 办法来自Oracle 官方: https://blogs.oracle.com/cnsupport_news/对数据库的“比特币攻击”及防护 由于现将Oracle 数据库勒索病毒 RushQL 安全预警下发给各部门,我公司高度关注此次事件的预警,排查是否有涉及,做好相关工作。 预警名称 :Oracle 数据库勒索病毒 RushQL 安全预警 ...
注意:国内发生多起Oracle 勒索病毒
男神的专栏
12-21 827
运维人员一旦使用带有病毒的“PL/SQLDeveloper破解版”连接Oracle数据,工具立即触发病毒文件在系统建立一系列的存储过程,判断数据库创建时间是否大于1200天,如大于等于1200天则使用truncate清空数据库。近期,国内发生多起针对Oracle 数据库勒索病毒案例,通过分析,该勒索病毒通过网络流传的“PL/SQLDeveloper破解版”进行传播。用户检查数据库工具的使用情况,避免使用来历不明的工具产品。执行上述语句后,若为空,表示你的ORACLE数据库是安全的,未中勒索病毒
Oracle数据库安装与灾难恢复:制定安装计划,应对灾难
[Oracle数据库安装与灾难恢复:制定安装计划,应对灾难](https://www.dcits.com/uploadfile/image/chanpin_20230820_16_01.jpg) # 1. Oracle数据库安装规划** Oracle数据库安装规划是确保数据库成功安装和运行的...
Oracle EMCC 13c数据备份与恢复】:确保数据安全的详细流程
本文对Oracle数据库的备份与恢复进行了全面的探讨,从理论到实践,详细说明了备份的重要性与类型,并提出了如何设计备份方案,确保数据的安全性和可恢复性。文中还介绍了Oracle恢复管理器(RMAN)的使用以及在不同...
2021 云和恩墨大讲堂PPT汇总(50份).zip
10-26
高并发Oracle OLTP系统的故障案例分享 经典知识库:深入解析Oracle检查点 经典知识库:数据库对象命名设计规范手册 经典知识库:数据模型重构案例分享 经典知识库:性能优化那些事 经典知识库:ASM元数据简介及案例...
KF32A146案例揭秘:备份与恢复的高级操作
![KF32A146案例揭秘:备份与恢复的高级操作]...文章通过对KF32A146案例的深入分析,展示了定制化备份方案的实施和数据恢复
ORA-00742 ora-00600 [4193] [4194] [kdsgrp1] [13011]
sqlora的专栏
01-25 793
存储故障导致问题: Additional information: 3 ORA-00600: internal error code, arguments: [4193], [], [], [], [], [], [], [], [], [], [], [] Errors in file /oracle/app/oracle/diag/rdbms/dbtest/dbtest/trace/dbtest_q001_122961.trc (incident=19370): ORA-00600: intern
Oracle PL/SQL Dev工具(破解版)被植入勒索病毒的安全预警及自查通告
热门推荐
远方
12-14 1万+
Oracle PL/SQL Dev工具(破解版)被植入勒索病毒的安全预警及自查通告   【问题描述】 近日,有项目组遇到了勒索软件攻击:勒索代码隐藏在Oracle PL/SQL Dev软件中(网上下载的破解版),里面的一个文件afterconnet.sql被黑客注入了病毒代码。这个代码会在用户连接数据库后立即执行,如果用户的账号拥有dba权限,它会在用户的数据库中创建多个存储过程和触发器,会
oracle勒索病毒提前防范方法
weixin_34187862的博客
11-20 990
最近oracle勒索病毒又死灰复燃,在这里提供大家一些提前检查预防小方法;1.盗版破解PLSQL Developer引起的login.sql和afterconnect.sql被篡改,导致数据库被加密,中招后暴露时间为数据库使用超过1200天;检查脚本如下: select 'DROP TRIGGER '||owner||'."'||TRIGGER_NAME||'";' from dba_trigge...
没准勒索病毒就在身边
hzcyhujw的博客
06-25 1628
2016年各种勒索病毒肆虐全球,本人所在的运维团队维护的客户幸运的未被感染;然而两年的后今天,某个库在18年6月20日下午,数据库alter 日志中出现勒索病毒的告警信息,团队高度紧张找应用开发商确,找安全部门进行漏扫、渗透等测试。现阶段主要安装网上的经验将相应的异常存储过程、触发器等删除;所幸我们这边被感染的用户没有创建触发器的权限等文章应用惜分飞大神:http://www.xifenfei.c...
一次ORACLE数据库勒索病毒的处理
还不算晕的专栏
02-01 1636
问题: ORACLE数据库勒索病毒是一个老话题了,2016/2017年时候爆发过一波,当时主要是PLSQ DEV/TOAD等工具的登陆数据库脚本被注入病毒;近期又有客户中招,所幸发现及时,相应的存储过程并未爆发,因此将相应的病毒存入过程删除即可。该客户也使用了堡垒机,但是还有部分维护人员是可以直连的,所以中招了。 后续处理: 建议用户限制dba 权限,所有员工的数据库连接工具从内网的统一软件平台...
Oracle RushQL勒索病毒恢复方法
woqutechteam的博客
04-09 1194
在上期《勒索病毒Globelmposter来袭,数据备份你做好了吗》中,我们介绍了Globelmposter勒索病毒,以SMB、RDP协议漏洞为突破口,加密篡改用户文件,从而达到勒索的目的,其感染目标并不局限特定的应用。 本次我们再来介绍另一种专门针对数据库勒索病毒 -- RushQL。相比Globelmposter,RushQL专门针对数据库设计、并且具备一定潜伏期和隐蔽性,危害极大。 该...
禁止“勒索病毒”攻击的解决办法
干勾鱼的CSDN博客
05-15 4281
转载请注明出处:http://blog.csdn.net/dongdong9223/article/details/72179490 本文出自【我是干勾鱼的博客】 上周末开始“勒索病毒”大面积侵袭Windows操作系统,这里讲一个解决办法。首先新建一个文本文件,命名为:WannaCry勒索病毒一键加固v1.3.bat这其实是一个批处理文件,内容如下:@echo off mode con: co
Oracle 数据库勒索病毒检查SQL语句
chuijinbao的专栏
11-17 3099
select 'DROP TRIGGER '||owner||'."'||TRIGGER_NAME||'";' from dba_triggers where TRIGGER_NAME like 'DBMS_%_INTERNAL%' union all select 'DROP PROCEDURE '||owner||'."'||a.object_name||'";' from dba_pro...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值