最近有客户环境中大量服务器被感染类似如下病毒,邮箱为:helpservis@horsefucker.org,每个机器不一样的id,使用该id为文件后缀名
16进制方式打开文件头发现破坏如下
进一步分析发现文件中依旧有大量block没有被破坏
经过分析我们基本上可以较为完美的恢复该病毒加密数据库(sql server,oracle等)
这类的数据库加密,我们可以直接通过解密处理,恢复之后基本立即可用.如果需要可以联系我们从底层进行恢复:Phone:17813235971 Q Q:107644445
E-Mail:dba@xifenfei.com
在linux7的环境(xfs文件系统格式)中,由于误操作执行了rm -rf /操作,导致系统大部分文件被删除(oracle数据库相关文件).我们对其现场进行分析,确认相关数据在磁盘底层依旧存在
运气不错通过底层恢复,实现数据库完美open
Oracle 19.3数据库打最新补丁报错
[oracle@www.xifenfei.com 30125133]$ opatch apply ./ Oracle Interim Patch Installer version 12.2.0.1.18 Copyright (c) 2019, Oracle Corporation. All rights reserved. Oracle Home : /u01/app/oracle/product/19.0/db_1 Central Inventory : /u01/app/oraInventory from : /u01/app/oracle/product/19.0/db_1/oraInst.loc OPatch version : 12.2.0.1.18 OUI version : 12.2.0.7.0 Log file location : /u01/app/oracle/product/19.0/db_1/cfgtoollogs/opatch/opatch2019-12-16_08-00-53AM_1.log
分析日志
Verifying environment and performing prerequisite checks...
Prerequisite check "CheckSystemCommandAvailable" failed.
The details are:
Missing command :fuser
UtilSession failed:
Prerequisite check "CheckSystemCommandAvailable" failed.
Log file location: /u01/app/oracle/product/19.0/db_1/cfgtoollogs/opatch/opatch2019-12-16_08-00-53AM_1.log
OPatch failed with error code 73
[Dec 16, 2019 8:00:57 AM] [INFO] Following patches can be applied: 30125133
[Dec 16, 2019 8:00:57 AM] [INFO] Following patches are not required:
[Dec 16, 2019 8:00:57 AM] [INFO] Following patches are auto rollbackable:
[Dec 16, 2019 8:00:57 AM] [INFO] Finished checking prereq checkConflictAgainstOHWithDetail
[Dec 16, 2019 8:00:58 AM] [INFO] Running prerequisite checks...
[Dec 16, 2019 8:00:58 AM] [INFO] Space Needed : 3052.647MB
[Dec 16, 2019 8:00:58 AM] [INFO] Missing command :fuser
[Dec 16, 2019 8:00:58 AM] [INFO] Prerequisite check "CheckSystemCommandAvailable" failed.
The details are:
Missing command :fuser
[Dec 16, 2019 8:00:58 AM] [SEVERE] OUI-67073:UtilSession failed:
Prerequisite check "CheckSystemCommandAvailable" failed.
基本上可以确定是由于无fuser命令导致CheckSystemCommandAvailable失败.处理办法为安装上相关程序
[root@www.xifenfei.com tmp]# yum search fuser Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. ==================================== Matched: fuser =========================== psmisc.x86_64 : Utilities for managing processes on your system [root@www.xifenfei.com tmp]# [root@www.xifenfei.com tmp]# mount /dev/cdrom /media/ -o loop [root@www.xifenfei.com tmp]# yum install -y psmisc Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. rhel-yum | 4.3 kB 00:00:00 Resolving Dependencies --> Running transaction check ---> Package psmisc.x86_64 0:22.20-15.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================= Package Arch Version Repository Size ============================================================================================= Installing: psmisc x86_64 22.20-15.el7 rhel-yum 141 k Transaction Summary ============================================================================================= Install 1 Package Total download size: 141 k Installed size: 475 k Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : psmisc-22.20-15.el7.x86_64 1/1 Verifying : psmisc-22.20-15.el7.x86_64 1/1 Installed: psmisc.x86_64 0:22.20-15.el7 Complete!
重新打补丁
[oracle@www.xifenfei.com 30125133]$ opatch apply ./ Oracle Interim Patch Installer version 12.2.0.1.18 Copyright (c) 2019, Oracle Corporation. All rights reserved. Oracle Home : /u01/app/oracle/product/19.0/db_1 Central Inventory : /u01/app/oraInventory from : /u01/app/oracle/product/19.0/db_1/oraInst.loc OPatch version : 12.2.0.1.18 OUI version : 12.2.0.7.0 Log file location : /u01/app/oracle/product/19.0/db_1/cfgtoollogs/opatch/opatch2019-12-16_08-08-44AM_1.log Verifying environment and performing prerequisite checks... OPatch continues with these patches: 30125133 Do you want to proceed? [y|n] y User Responded with: Y All checks passed. Please shutdown Oracle instances running out of this ORACLE_HOME on the local system. (Oracle Home = '/u01/app/oracle/product/19.0/db_1') Is the local system ready for patching? [y|n] y User Responded with: Y Backing up files... Applying interim patch '30125133' to OH '/u01/app/oracle/product/19.0/db_1' ApplySession: Optional component(s) [ oracle.network.gsm, 19.0.0.0.0 ],[ oracle.rdbms.ic, 19.0.0.0.0 ], [ oracle.network.cman, 19.0.0.0.0 ],[ oracle.net.cman, 19.0.0.0.0 ],[ oracle.options.olap.awm, 19.0.0.0.0], [ oracle.oraolap.mgmt, 19.0.0.0.0 ],[ oracle.assistants.usm, 19.0.0.0.0 ],[ oracle.assistants.asm, 19.0.0.0.0], [ oracle.tfa, 19.0.0.0.0 ] not present in the Oracle Home or a higher version is found. Patching component oracle.rdbms, 19.0.0.0.0... Patching component oracle.rdbms.rsf, 19.0.0.0.0... Patching component oracle.assistants.acf, 19.0.0.0.0... Patching component oracle.assistants.deconfig, 19.0.0.0.0... Patching component oracle.assistants.server, 19.0.0.0.0... Patching component oracle.buildtools.rsf, 19.0.0.0.0... Patching component oracle.ctx, 19.0.0.0.0... Patching component oracle.ldap.rsf, 19.0.0.0.0... Patching component oracle.network.rsf, 19.0.0.0.0... Patching component oracle.rdbms.dbscripts, 19.0.0.0.0... Patching component oracle.sdo, 19.0.0.0.0... Patching component oracle.sqlplus, 19.0.0.0.0... Patching component oracle.ldap.rsf.ic, 19.0.0.0.0... Patching component oracle.rdbms.rman, 19.0.0.0.0... Patching component oracle.ctx.atg, 19.0.0.0.0... Patching component oracle.rdbms.oci, 19.0.0.0.0... Patching component oracle.rdbms.util, 19.0.0.0.0... Patching component oracle.xdk, 19.0.0.0.0... Patching component oracle.ovm, 19.0.0.0.0... Patching component oracle.network.listener, 19.0.0.0.0... Patching component oracle.rdbms.install.plugins, 19.0.0.0.0... Patching component oracle.dbjava.jdbc, 19.0.0.0.0... Patching component oracle.dbdev, 19.0.0.0.0... Patching component oracle.rdbms.deconfig, 19.0.0.0.0... Patching component oracle.nlsrtl.rsf, 19.0.0.0.0... Patching component oracle.oraolap.dbscripts, 19.0.0.0.0... Patching component oracle.install.deinstalltool, 19.0.0.0.0... Patching component oracle.dbjava.ic, 19.0.0.0.0... Patching component oracle.sdo.locator, 19.0.0.0.0... Patching component oracle.rdbms.scheduler, 19.0.0.0.0... Patching component oracle.rdbms.dv, 19.0.0.0.0... Patching component oracle.ons, 19.0.0.0.0... Patching component oracle.ldap.security.osdt, 19.0.0.0.0... Patching component oracle.ctx.rsf, 19.0.0.0.0... Patching component oracle.duma, 19.0.0.0.0... Patching component oracle.ldap.owm, 19.0.0.0.0... Patching component oracle.oracore.rsf, 19.0.0.0.0... Patching component oracle.rdbms.install.seeddb, 19.0.0.0.0... Patching component oracle.odbc, 19.0.0.0.0... Patching component oracle.sdo.locator.jrf, 19.0.0.0.0... Patching component oracle.network.client, 19.0.0.0.0... Patching component oracle.sqlplus.ic, 19.0.0.0.0... Patching component oracle.dbjava.ucp, 19.0.0.0.0... Patching component oracle.xdk.rsf, 19.0.0.0.0... Patching component oracle.marvel, 19.0.0.0.0... Patching component oracle.xdk.parser.java, 19.0.0.0.0... Patching component oracle.rdbms.rsf.ic, 19.0.0.0.0... Patching component oracle.nlsrtl.rsf.core, 19.0.0.0.0... Patching component oracle.precomp.common, 19.0.0.0.0... Patching component oracle.precomp.lang, 19.0.0.0.0... Patch 30125133 successfully applied. Sub-set patch [29517242] has become inactive due to the application of a super-set patch [30125133]. Please refer to Doc ID 2161861.1 for any possible further required actions. Log file location: /u01/app/oracle/product/19.0/db_1/cfgtoollogs/opatch/opatch2019-12-16_08-08-44AM_1.log OPatch succeeded. [oracle@www.xifenfei.com 30128191]$ opatch apply ./ Oracle Interim Patch Installer version 12.2.0.1.18 Copyright (c) 2019, Oracle Corporation. All rights reserved. Oracle Home : /u01/app/oracle/product/19.0/db_1 Central Inventory : /u01/app/oraInventory from : /u01/app/oracle/product/19.0/db_1/oraInst.loc OPatch version : 12.2.0.1.18 OUI version : 12.2.0.7.0 Log file location : /u01/app/oracle/product/19.0/db_1/cfgtoollogs/opatch/opatch2019-12-16_08-12-44AM_1.log Verifying environment and performing prerequisite checks... OPatch continues with these patches: 30128191 Do you want to proceed? [y|n] y User Responded with: Y All checks passed. Please shutdown Oracle instances running out of this ORACLE_HOME on the local system. (Oracle Home = '/u01/app/oracle/product/19.0/db_1') Is the local system ready for patching? [y|n] y User Responded with: Y Backing up files... Applying interim patch '30128191' to OH '/u01/app/oracle/product/19.0/db_1' Patching component oracle.javavm.server, 19.0.0.0.0... Patching component oracle.javavm.server.core, 19.0.0.0.0... Patching component oracle.rdbms.dbscripts, 19.0.0.0.0... Patching component oracle.rdbms, 19.0.0.0.0... Patch 30128191 successfully applied. Log file location: /u01/app/oracle/product/19.0/db_1/cfgtoollogs/opatch/opatch2019-12-16_08-12-44AM_1.log OPatch succeeded.
确认补丁安装成功
[oracle@www.xifenfei.com 30128191]$ opatch lspatches 30128191;OJVM RELEASE UPDATE: 19.5.0.0.191015 (30128191) 30125133;Database Release Update : 19.5.0.0.191015 (30125133) 29585399;OCW RELEASE UPDATE 19.3.0.0.0 (29585399) OPatch succeeded.
mos上也有类似文章可参考:Prerequisite check “CheckSystemCommandAvailable” failed (Doc ID 1581604.1)
oracle数据库被加密为.megac.megac后缀名,加密情况如下:
加密说明文件类似:
恢复数据截图:
这类的数据库加密,我们可以直接通过解密处理,open数据库,导出数据,恢复之后立即可用.如果需要可以联系我们从底层进行恢复:Phone:17813235971 Q Q:107644445 E-Mail:dba@xifenfei.com
由于误操作删除库的事情偶有发生,遇到过dbca误删除数据库,遇到过rm删除数据文件的故障.近期有过两次类似的恢复请求,一次是win平台dbca本该删除测试库,结果选择错误把生产库给删除,发生误操作之后,没有及时对磁盘进行卸载,而是有一些写操作,当事人找了各种反删除软件进行恢复,结果只是成功了恢复了部分文件,核心文件全部丢失.另外一次是linux平台误操作,rm -rf 删除了整个oracle目录,而且数据文件也全部在里面,所幸没有任何写操作.
对于dbca客户已经使用反删除软件进行恢复,但是效果不行,我们直接从底层扫描,恢复出来需要数据
有个别文件少量block被覆盖,而且客户只要其中部分核心表数据,因此直接使用dul恢复出客户需要数据,完美完成恢复
对于rm掉所有数据文件的客户,通过extundelete进行反删除恢复(参考:extundelete恢复Linux被删除文件),由于句柄丢失,导致有几个数据文件恢复失败.通过linux平台底层恢复,实现需要数据文件完全恢复,数据库正常open,实现完美恢复
对于这类删库的操作,一定要保护好现场,对数据文件存在分区不要有二次写操作,尽可能的减少覆盖.理论上数据文件在磁盘上,都可以恢复出来.如果有遇到数据库文件误删除,或者文件系统损坏的恢复需求,无法自行解决,可以联系我们从底层进行恢复:Phone:17813235971 Q Q:107644445 E-Mail:dba@xifenfei.com
类似恢复案例:
又一例asm格式化文件系统恢复
文件系统损坏导致数据文件异常恢复
Oracle 数据文件大小为0kb或者文件丢失恢复
oracle asm disk格式化恢复—格式化为ntfs文件系统
oracle asm disk格式化恢复—格式化为ext4文件系统
ORA-15042: ASM disk “N” is missing from group number “M” 故障恢复
最近有数据库被.chch病毒加密,通过分析,此类病毒可以通过数据库层面较好恢复
通过恢复处理,实现数据较好恢复效果如下
如果有此类的加密场景数据库,可以联系我们
从本质上来说,sql server的truncate操作也是和oracle类似的,实际数据依旧存在磁盘之上,通过对底层的分析没有覆盖的部分,依然可以恢复出来,这里列举出来大概的恢复截图,原表数据4605条记录
对其truncate操作
通过恢复出来,解析出来被truncate表的insert sql语句
插入数据之后,验证效果
至此我们可以实现sql server数据库被truncate表的恢复支持,只要没有覆盖的数据,理论上都可以恢复
当你的SQL Server数据库因为误操作导致数据丢失,且无法自行解决,请联系我们,提供专业SQL Server数据库恢复技术支持
Phone/微信:17813235971 Q Q:107644445 E-Mail:dba@xifenfei.com
对于sql server的delete操作,其实本质也是类似oracle的,我们可以通过两种途径进行恢复:1.直接解析sql的日志,2.直接读取mdf/ndf文件找出来被标记为删除的记录,在有日志的情况下,通过日志分析能够更加准确的定位记录(因为根据删除标记可能找到的记录不是这次删除操作的),这里来一个简单的恢复过程,一张sql server的表,记录数为83条
对其进行delete删除操作
进行恢复分析,直接生成insert语句,反插入库即可
同时我们还可以根据需要生成对应的redo/undo相关sql语句
至此我们已经分析,可以比较完美的恢复sql server delete误操作丢失的数据.
当你的SQL Server数据库因为误操作导致数据丢失,且无法自行解决,请联系我们,提供专业SQL Server数据库恢复技术支持
Phone/微信:17813235971 Q Q:107644445 E-Mail:dba@xifenfei.com
sql server drop table本质上数据也还是在磁盘上,通过底层技术依旧像Oracle一样可以恢复,测试一张表的drop恢复操作
备份表数据,用于删除前后对比
删除表数据
我们对数据进行恢复(可以恢复表结构和表数据)
对比恢复前后数据
通过对比发现我们实现drop table数据完美恢复.
当你的SQL Server数据库因为误操作导致数据丢失,且无法自行解决,请联系我们,提供专业SQL Server数据库恢复技术支持
Phone/微信:17813235971 Q Q:107644445 E-Mail:dba@xifenfei.com
接到朋友恢复请求,oracle dmp文件被加密
通过分析文件发现该加密主要是对头尾部分block按照每16byte中8个byte置空和部分加密
通过进行恢复,对损坏部分进行跳过,剩余数据直接导入数据库,通过show=y测试数据可以正常入库,实现了dmp文件表数据的完美恢复
当你的Oracle dmp因为因为某种原因损坏,且无法自行解决,请联系我们,提供专业数据库恢复技术支持
Phone/微信:17813235971 Q Q:107644445 E-Mail:dba@xifenfei.com