标签云
asm恢复 bbed bootstrap$ dul In Memory kcbzib_kcrsds_1 kccpb_sanity_check_2 kfed MySQL恢复 ORA-00312 ORA-00607 ORA-00704 ORA-01110 ORA-01555 ORA-01578 ORA-08103 ORA-600 2131 ORA-600 2662 ORA-600 2663 ORA-600 3020 ORA-600 4000 ORA-600 4137 ORA-600 4193 ORA-600 4194 ORA-600 16703 ORA-600 kcbzib_kcrsds_1 ORA-600 KCLCHKBLK_4 ORA-15042 ORA-15196 ORACLE 12C oracle dul ORACLE PATCH Oracle Recovery Tools oracle加密恢复 oracle勒索 oracle勒索恢复 oracle异常恢复 Oracle 恢复 ORACLE恢复 ORACLE数据库恢复 oracle 比特币 OSD-04016 YOUR FILES ARE ENCRYPTED 勒索恢复 比特币加密文章分类
- Others (2)
- 中间件 (2)
- WebLogic (2)
- 操作系统 (102)
- 数据库 (1,674)
- DB2 (22)
- MySQL (73)
- Oracle (1,536)
- Data Guard (52)
- EXADATA (8)
- GoldenGate (22)
- ORA-xxxxx (159)
- ORACLE 12C (72)
- ORACLE 18C (6)
- ORACLE 19C (14)
- ORACLE 21C (3)
- Oracle 23ai (7)
- Oracle ASM (67)
- Oracle Bug (8)
- Oracle RAC (52)
- Oracle 安全 (6)
- Oracle 开发 (28)
- Oracle 监听 (28)
- Oracle备份恢复 (562)
- Oracle安装升级 (92)
- Oracle性能优化 (62)
- 专题索引 (5)
- 勒索恢复 (78)
- PostgreSQL (18)
- PostgreSQL恢复 (6)
- SQL Server (27)
- SQL Server恢复 (8)
- TimesTen (7)
- 达梦数据库 (2)
- 生活娱乐 (2)
- 至理名言 (11)
- 虚拟化 (2)
- VMware (2)
- 软件开发 (37)
- Asp.Net (9)
- JavaScript (12)
- PHP (2)
- 小工具 (20)
-
最近发表
- GoldenGate 19安装和打patch
- dd破坏asm磁盘头恢复
- 删除asmlib磁盘导致磁盘组故障恢复
- Kylin Linux 安装19c
- ORA-600 krse_arc_complete.4
- Oracle 19c 202410补丁(RUs+OJVM)
- ntfs MFT损坏(ntfs文件系统故障)导致oracle异常恢复
- .mkp扩展名oracle数据文件加密恢复
- 清空redo,导致ORA-27048: skgfifi: file header information is invalid
- A_H_README_TO_RECOVER勒索恢复
- 通过alert日志分析客户自行对一个数据库恢复的来龙去脉和点评
- ORA-12514: TNS: 监听进程不能解析在连接描述符中给出的SERVICE_NAME
- ORA-01092 ORA-00604 ORA-01558故障处理
- ORA-65088: database open should be retried
- Oracle 19c异常恢复—ORA-01209/ORA-65088
- ORA-600 16703故障再现
- 数据库启动报ORA-27102 OSD-00026 O/S-Error: (OS 1455)
- .[metro777@cock.li].Elbie勒索病毒加密数据库恢复
- 应用连接错误,初始化mysql数据库恢复
- RAC默认服务配置优先节点
标签归档:比特币 oracle
.ALCO 比特币加密勒索恢复
.CHAK1 比特币加密勒索恢复
最近有朋友遇到oracle数据库被加密后缀名为.CHAK1的比特币勒索
我们通过确认,这次的破坏和上次的(比特币加密勒索间隔加密)比较类似
通过分析,此类损坏结果为:
1)1280 block 间隔加密,
2)每个加密文件前10M数据可能丢失
对于这个客户,我们通过分析,业务数据可以比较完美的恢复
如果您的数据库被比特币加密勒索,需要恢复支持请联系我们
Phone:17813235971 Q Q:107644445 E-Mail:dba@xifenfei.com
发表在 勒索恢复
标签为 .CHAK1, oracle勒索, oracle勒索病毒, YOUR FILES ARE ENCRYPTED, 勒索恢复, 比特币, 比特币 oracle, 比特币加密, 比特币勒索
评论关闭
比特币加密勒索间隔加密
最近我们在一个客户的oracle恢复case中发现比特币文件系统勒索加密比较特殊,和大家做一个分享
文件加密后缀名为:.$ILICONE
文件加密特点分析
DUL> dump datafile 5 block 1 Block Header: block type=0x0b (file header) block format=0xa2 (oracle 10) block rdba=0x01400001 (file#=5, block#=1) scn=0x0000.00000000, seq=1, tail=0x00000b01 block checksum value=0x6e7d=28285, flag=4 File Header: Db Id=0xe1891cca=3783859402, Db Name=XIFENFEI, Root Dba=0x0 Software vsn=0x0, Compatibility Vsn=0xa200300, File Size=0x3ffffe=4194302 Blocks File Type=0x3 (data file), File Number=5, Block Size=8192 Tablespace #7 - OA rel_fn:5 DUL> dump datafile 5 block 2 Block Header: block type=0x63 (unknown) block format=0x57 (unknown) block rdba=0xc6538298 (file#=793, block#=1278616) scn=0xe0ab.fdc4d8d0, seq=225, tail=0xa7b5cab5 block checksum value=0xfaa1=64161, flag=165 corrupted block. DUL> dump datafile 5 block 3 Block Header: block type=0x1e (LMT space map block) block format=0xa2 (oracle 10) block rdba=0x01400003 (file#=5, block#=3) scn=0x0000.00246fbe, seq=1, tail=0x6fbe1e01 block checksum value=0xe495=58517, flag=4 DUL> dump datafile 5 block 4 Block Header: block type=0x83 (unknown) block format=0xa3 (unknown) block rdba=0x17e4c9e4 (file#=95, block#=2410980) scn=0xe3b2.fc505eea, seq=101, tail=0x6e2f1004 block checksum value=0x7f2e=32558, flag=196 corrupted block. DUL> dump datafile 5 block 5 Block Header: block type=0x1e (LMT space map block) block format=0xa2 (oracle 10) block rdba=0x01400005 (file#=5, block#=5) scn=0x0000.00264875, seq=1, tail=0x48751e01 block checksum value=0xb25e=45662, flag=4 DUL> dump datafile 5 block 6 Block Header: block type=0x68 (unknown) block format=0x35 (unknown) block rdba=0x7011e0e3 (file#=448, block#=1171683) scn=0x47bf.9f2df54a, seq=207, tail=0x69ae0a91 block checksum value=0x49f8=18936, flag=174 corrupted block.
通过这里初步分析,确认加密是间隔方式加密,在数据库中表现明显的是每相隔8k进行加密,而且这里是偶数block被加密
确认加密文件结束位置
DUL> dump datafile 5 block 962818 header Block Header: block type=0x4d (unknown) block format=0xde (unknown) block rdba=0x0bab780d (file#=46, block#=2848781) scn=0x056b.2c695f6b, seq=223, tail=0x2399e0cb block checksum value=0x9706=38662, flag=212 corrupted block. DUL> dump datafile 5 block 962820 header Block Header: block type=0x00 (blank block) block format=0xa2 (oracle 10) block rdba=0x014eb104 (file#=5, block#=962820) scn=0x0000.00000000, seq=1, tail=0x00000001 block checksum value=0x174a=5962, flag=5
通过这里可以发现,对于一个32G的文件,一直被加密到block 962818,也就是7.34G(962818*8k),这里间隔加密,而且加密深度特别深,在以往的比特币文件系统加密中比较少见.
再次提醒
1. 不要把数据库暴露在外网
2. 相对linux而言,win更容易受到黑客的攻击
3. 数据库一定要做好备份,条件允许的情况下,配置数据实时同步到其他机器还是有必要的