联系:手机/微信(+86 17813235971) QQ(107644445)
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
被病毒加密的.horseleader后缀名的文件
联系:手机/微信(+86 17813235971) QQ(107644445)
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
以前恢复过oracle数据库dbf文件大小变为0kb的case(Oracle 数据文件大小为0kb或者文件丢失恢复),这次遇到一个客户由于主机重启导致sql server 数据库的mdf文件大小变为0kb,客户自己通过反删除软件无法正常恢复,我们通过磁盘底层block对其进行处理,实现大部分数据恢复(由于客户的一些操作导致部分数据覆盖)
该磁盘分区有多个mdf文件(多个sql server库)
通过底层block技术发现大量没有覆盖的该文件的block
通过block技术恢复出来mdf文件之后,然后恢复出来表数据情况
E-Mail:dba@xifenfei.com提供专业的恢复服务.
最近遇到几个mysql数据库被黑客删除库,并且留下比特币勒索信息在每个库的WARNING表中
mysql> desc WARNING
-> ;
+-----------------+----------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------------+----------+------+-----+---------+-------+
| id | int(11) | YES | | NULL | |
| warning | longtext | YES | | NULL | |
| Bitcoin_Address | longtext | YES | | NULL | |
| Email | longtext | YES | | NULL | |
+-----------------+----------+------+-----+---------+-------+
4 rows in set (0.00 sec)
mysql> select * from WARNING;
+------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+------------------+
| id | warning | Bitcoin_Address | Email |
+------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+------------------+
| 1 | To recover your lost Database and avoid leaking it: Send us 0.06 Bitcoin (BTC) to our Bitcoin address 1BLYhUDmnmVPVjcTWgc6gFT6DCYwbVieUD and contact us by Email with your Server IP or Domain name and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your Database is downloaded and backed up on our servers. Backups that we have right now: xxxx,xxxxxx,xxxxxxxx,xxxxxxx . If we dont receive your payment in the next 10 Days, we will make your database public or use them otherwise. | 1BLYhUDmnmVPVjcTWgc6gFT6DCYwbVieUD | contact@sqldb.to |
+------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+------------------+
1 row in set (0.00 sec)
大概的意思就是:我们已经把你的数据库备份,您交给我们0.06个比特币,我们把数据给你,如果10天之内我们没有收到款,即将把数据库给公开或者作为其他用途.根据我们以往接触的朋友经验,付款之后数据库也不会给你(很可能黑客根本就没有备份数据库,只是删除了数据库然后勒索比特币.
对于这类情况,通过分析,确认黑客是删除了数据库,在没有覆盖的情况下,我们可以对其数据进行恢复,处理类似:MySQL drop database恢复(恢复方法同样适用MySQL drop table,delete,truncate table)最大限度缓解因为数据库被破坏带来的损失.
如果您也遭遇到该问题,请保护现场,不要导入备份数据库,不要对数据所在分区进行写操作(现场保护的越好,数据恢复效果越好),对相关磁盘进行镜像,防止二次破坏.我们可以提供专业的mysql恢复服务,为您减少损失.
联系:手机/微信(+86 17813235971) QQ(107644445)
标题:.[geerban@email.tg].Devos加密数据库恢复
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
又发现一种新病毒加密oracle数据库的故障,后缀名为:.id[06495F21-2700].[geerban@email.tg].Devos
联系:手机/微信(+86 17813235971) QQ(107644445)
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
因为疫情被困在家中,闲着无聊研究了下各种sql数据库恢复工具,结果发现区别非常大,让我很吃惊,对于正常的表都可以正常恢复(有一款软件无法显示中文字段名),对于比较特殊的表,其他几款软件有显示很多列为空的,有显示部分列为空的,只有一款显示和实际的一致.因为涉及商业软件,不直接列出工具名称,直接上图表示.提醒各位sql恢复选择工具需要谨慎.
软件A
是一款国产sql 恢复软件,显示中文没有问题,但是对于此次库的异常表显示列异常较多
联系:手机/微信(+86 17813235971) QQ(107644445)
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
千呼万唤oracle官方dul工具终于发布了12版本,dul 11版本发布参见:oracle dul 11 正式发布
Data UnLoader: 12.0.0.0.5 - Internal Only - on Thu Feb 27 11:27:42 2020 with 64-bit io functions Copyright (c) 1994 2019 Bernard van Duijnen All rights reserved. Strictly Oracle Internal Use Only Reading USER.dat 87 entries loaded Reading OBJ.dat 72882 entries loaded and sorted 72882 entries Reading TAB.dat 2810 entries loaded Reading COL.dat 90151 entries loaded and sorted 90151 entries Reading TABPART.dat 107 entries loaded and sorted 107 entries Reading TABCOMPART.dat 0 entries loaded and sorted 0 entries Reading TABSUBPART.dat 0 entries loaded and sorted 0 entries Reading INDPART.dat 124 entries loaded and sorted 124 entries Reading INDCOMPART.dat 0 entries loaded and sorted 0 entries Reading INDSUBPART.dat 0 entries loaded and sorted 0 entries Reading IND.dat 4695 entries loaded Reading LOB.dat 883 entries loaded Reading ICOL.dat 7430 entries loaded Reading COLTYPE.dat 2203 entries loaded Reading TYPE.dat 2779 entries loaded Reading ATTRIBUTE.dat 10852 entries loaded Reading COLLECTION.dat 960 entries loaded Reading BOOTSTRAP.dat 60 entries loaded Reading LOBFRAG.dat 1 entries loaded and sorted 1 entries Reading LOBCOMPPART.dat 0 entries loaded and sorted 0 entries Reading UNDO.dat 21 entries loaded Reading TS.dat 11 entries loaded Reading PROPS.dat 36 entries loaded Database character set is ZHS16GBK Database national character set is AL16UTF16 Found db_id = 3861844098 Found db_name = O11201GB DUL> 2 show datafiles; ts# rf# start blocks offs open err file name 0 1 0 103681 0 1 0 D:\app\XIFENFEI\oradata\o11201gbk/system01.dbf DUL>
从Compatible参数上看,直接支持到oracle 18版本,具体后续测试
联系:手机/微信(+86 17813235971) QQ(107644445)
标题:.[wang.chang888@tutanota.com].ROGER加密数据库恢复
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
最近又发现一个新的加密病毒,后缀名为:.id-CC46A224.[wang.chang888@tutanota.com].ROGER,被加密提示类似:
E-Mail:dba@xifenfei.com提供专业的解密恢复服务.联系:手机/微信(+86 17813235971) QQ(107644445)
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
最近有朋友sql server数据库被加密,后缀名为:.mdf.happythreechoose,需要提供恢复支持
黑客留下的文件类似
ALL YOUR FILES ARE ENCRYPTED! ☠ ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED. To recover data you need decryptor. To get the decryptor you should: Send 1 test image or text file happychoose@cock.li or happychoose2@cock.li. In the letter include YOUR ID (look at the beginning of this document). We will give you the decrypted file and assign the price for decryption all files After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder. Attention! Only happychoose@cock.li or happychoose2@cock.li can decrypt your files Do not trust anyone happychoose@cock.li or happychoose2@cock.li Do not attempt to remove the program or run the anti-virus tools Attempts to self-decrypting files will result in the loss of your data Decoders other users are not compatible with your data, because each user's unique encryption key
通过查询网络发现该病毒还有.happyfourchoose,都是属于GlobeImposter家族 ,目前暂时不支持解密
通过底层分析,发现主要是文件头和尾部被机密
E-Mail:dba@xifenfei.com提供专业的解密恢复服务.联系:手机/微信(+86 17813235971) QQ(107644445)
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
接到朋友请求,把mysql数据库的datadir目录给删除了,数据库目前还处于运行状态,但是很多操作已经无法正常进行
数据库可以登录,但是已经看不到任何业务数据库,可以结合表名查询
[root@hy-db-xff-s-110 mysql3306]# mysql -uroot -ptSQghoV^J1GE^U8*wPElImv5 mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 443214 Server version: 5.7.21-log MySQL Community Server (GPL) Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | +--------------------+ 1 row in set (0.00 sec) mysql> select count(1) from xifenfei.orders; +----------+ | count(1) | +----------+ | 16451326 | +----------+ 1 row in set (4.17 sec)
数据无法导出(into outfile不行是由于secure-file-priv参数默认导致)
mysql> select * from xifenfei.orders into outfile '/bakcup/orders_new.sql' FIELDS TERMINATED BY ',' OPTIONALLY ENCLOSED BY '"' LINES TERMINATED BY '\n'; ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement [root@hy-db-cps-s-110 fd]# mysqldump -uroot -pwww.xifenfei.com xifenfei orders >/linshi/1.sql mysqldump: [Warning] Using a password on the command line interface can be insecure. mysqldump: Got error: 1049: Unknown database 'xifenfei' when selecting the database
因为mysql没有crash,因此相关文件已经存在(没有被真正删除)
联系:手机/微信(+86 17813235971) QQ(107644445)
标题:.[hardlog@protonmail.com].harma加密数据库恢复
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
有朋友继续找到我们,他们以前的一个被加密的老库需要恢复,后缀名类似.id-02A15898.[hardlog@protonmail.com].harma
E-Mail:dba@xifenfei.com提供专业的解密恢复服务.