-
加我微信(17813235971)
加我QQ(107644445)
标签云
asm恢复 bbed bootstrap$ dul In Memory kcbzib_kcrsds_1 kccpb_sanity_check_2 MySQL恢复 ORA-00312 ORA-00607 ORA-00704 ORA-00742 ORA-01110 ORA-01555 ORA-01578 ORA-01595 ORA-08103 ORA-600 2131 ORA-600 2662 ORA-600 3020 ORA-600 4000 ORA-600 4137 ORA-600 4193 ORA-600 4194 ORA-600 16703 ORA-600 kcbzib_kcrsds_1 ORA-600 KCLCHKBLK_4 ORA-15042 ORA-15196 ORACLE 12C oracle dul ORACLE PATCH Oracle Recovery Tools oracle加密恢复 oracle勒索 oracle勒索恢复 oracle异常恢复 Oracle 恢复 ORACLE恢复 ORACLE数据库恢复 oracle 比特币 OSD-04016 YOUR FILES ARE ENCRYPTED 勒索恢复 比特币加密文章分类
- Others (2)
- 中间件 (2)
- WebLogic (2)
- 操作系统 (103)
- 数据库 (1,770)
- DB2 (22)
- MySQL (77)
- Oracle (1,611)
- Data Guard (52)
- EXADATA (8)
- GoldenGate (24)
- ORA-xxxxx (166)
- ORACLE 12C (72)
- ORACLE 18C (6)
- ORACLE 19C (15)
- ORACLE 21C (3)
- Oracle 23ai (8)
- Oracle ASM (69)
- Oracle Bug (8)
- Oracle RAC (54)
- Oracle 安全 (6)
- Oracle 开发 (28)
- Oracle 监听 (29)
- Oracle备份恢复 (592)
- Oracle安装升级 (98)
- Oracle性能优化 (62)
- 专题索引 (5)
- 勒索恢复 (86)
- PostgreSQL (30)
- pdu工具 (6)
- PostgreSQL恢复 (9)
- SQL Server (32)
- SQL Server恢复 (13)
- TimesTen (7)
- 达梦数据库 (3)
- 达梦恢复 (1)
- 生活娱乐 (2)
- 至理名言 (11)
- 虚拟化 (2)
- VMware (2)
- 软件开发 (39)
- Asp.Net (9)
- JavaScript (12)
- PHP (2)
- 小工具 (22)
-
最近发表
- Oracle 19c 202507补丁(RUs+OJVM)-19.28
- 2025年的Oracle 8.0.5数据库恢复
- ORA-600 kokiasg1故障分析(obj$中核心字典序列全部被恶意删除)
- ORA-00756 ORA-10567故障数据0丢失恢复
- 数据库文件变成32k故障恢复
- tcp连接过多导致监听TNS-12532 TNS-12560 TNS-00502错误
- 文件系统格式化MySQL数据库恢复
- .sstop勒索加密数据库恢复
- 解决一次硬件恢复之后数据文件0kb的故障恢复case
- Error in invoking target ‘libasmclntsh19.ohso libasmperl19.ohso client_sharedlib’问题处理
- ORA-01171: datafile N going offline due to error advancing checkpoint
- linux环境oracle数据库被文件系统勒索加密为.babyk扩展名溯源
- ORA-600 ksvworkmsgalloc: bad reaper
- ORA-600 krccfl_chunk故障处理
- Oracle Recovery Tools恢复案例总结—202505
- ORA-600 kddummy_blkchk 数据库循环重启
- 记录一次asm disk加入到vg通过恢复直接open库的案例
- CHECKDB 发现了 N 个分配错误和 M 个一致性错误
- 达梦数据库dm.ctl文件异常恢复
- Oracle Recovery Tools修复ORA-00742、ORA-600 ktbair2: illegal inheritance故障
年归档:2016
通过拷贝block实现system文件大量坏块恢复
有朋友找到我,他有客户库大量坏块,需要我们提供支持,因为这个库里面含有大量的存储过程,包等,要求数据要直接导出,不能使用工具挖.
dbv检查system大量坏块
DBVERIFY: Release 11.2.0.4.0 - Production on 星期二 11月 22 17:17:51 2016 Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved. DBVERIFY - 开始验证: FILE = h:\oracle\system01.dbf 页 4543 流入 - 很可能是介质损坏 Corrupt block relative dba: 0x004011bf (file 1, block 4543) Fractured block found during dbv: Data in bad block: type: 0 format: 2 rdba: 0x004011bf last change scn: 0x0000.00000000 seq: 0x1 flg: 0x05 spare1: 0x0 spare2: 0x0 spare3: 0x0 consistency value in tail: 0x7641344a check value in block header: 0xb6ff computed block checksum: 0x797 页 4544 标记为损坏 Corrupt block relative dba: 0x004011c0 (file 1, block 4544) Bad header found during dbv: Data in bad block: type: 71 format: 3 rdba: 0x754e362f last change scn: 0x7a37.6d424862 seq: 0x39 flg: 0x32 spare1: 0x35 spare2: 0x32 spare3: 0x3931 consistency value in tail: 0x7638356c check value in block header: 0x4856 block checksum disabled ………… 页 4613 标记为损坏 Corrupt block relative dba: 0x00401205 (file 1, block 4613) Bad header found during dbv: Data in bad block: type: 97 format: 7 rdba: 0x79634449 last change scn: 0x4364.77426a4c seq: 0x41 flg: 0x35 spare1: 0x34 spare2: 0x36 spare3: 0x7734 consistency value in tail: 0x505a4550 check value in block header: 0x434d computed block checksum: 0x6f3f 页 4614 标记为损坏 Corrupt block relative dba: 0x00401206 (file 1, block 4614) Completely zero block found during dbv: ………… 页 5125 标记为损坏 Corrupt block relative dba: 0x00401405 (file 1, block 5125) Completely zero block found during dbv: DBVERIFY - 验证完成 检查的页总数: 124160 处理的页总数 (数据): 90745 失败的页总数 (数据): 0 处理的页总数 (索引): 14417 失败的页总数 (索引): 0 处理的页总数 (其他): 3323 处理的总页数 (段) : 1 失败的总页数 (段) : 0 空的页总数: 15092 标记为损坏的总页数: 583 流入的页总数: 5 加密的总页数 : 0 最高块 SCN : 1417256245 (2.1417256245)
这里比较明显,一共583个坏块,而且是连续坏块(5125-4543+1)
尝试启动数据库
--直接尝试打开数据库
SQL> RECOVER DATABASE;
完成介质恢复。
SQL> alter database open;
alter database open
*
第 1 行出现错误:
ORA-01092: ORACLE instance terminated. Disconnection forced
ORA-00704: bootstrap process failure
ORA-00604: error occurred at recursive SQL level 2
ORA-01578: ORACLE data block corrupted (file # 1, block # 4575)
ORA-01110: data file 1: 'H:\ORACLE\SYSTEM01.DBF'
进程 ID: 2572
会话 ID: 85 序列号: 1
--跳过坏块event打开库
SQL> startup mount pfile='h:/oracle/pfile.txt'
ORACLE 例程已经启动。
Total System Global Area 2137886720 bytes
Fixed Size 2282944 bytes
Variable Size 520096320 bytes
Database Buffers 1610612736 bytes
Redo Buffers 4894720 bytes
数据库装载完毕。
SQL> show parameter event;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
event string 43810 trace name context forev
er, level 10, 10231 trace name
context forever, level 10, 10
232 trace name context forever
, level 10, 10233 trace name c
ontext forever, level 10, 1004
1 trace name context forever,
level 10
xml_db_events string enable
SQL> alter database open;
alter database open
*
第 1 行出现错误:
ORA-01113: 文件 1 需要介质恢复
ORA-01110: 数据文件 1: 'H:\ORACLE\SYSTEM01.DBF'
SQL> recover database;
完成介质恢复。
SQL> alter database open;
alter database open
*
第 1 行出现错误:
ORA-01092: ORACLE instance terminated. Disconnection forced
ORA-00600: internal error code, arguments: [kokiasg1], [], [], [], [], [], [],
[], [], [], [], []
进程 ID: 9316
会话 ID: 4 序列号: 3
--upgrade方式打开数据库
SQL> startup mount pfile='h:/oracle/pfile.txt'
ORACLE 例程已经启动。
Total System Global Area 2137886720 bytes
Fixed Size 2282944 bytes
Variable Size 520096320 bytes
Database Buffers 1610612736 bytes
Redo Buffers 4894720 bytes
数据库装载完毕。
SQL> alter database open upgrade
2 ;
alter database open upgrade
*
第 1 行出现错误:
ORA-01092: ORACLE instance terminated. Disconnection forced
ORA-00600: internal error code, arguments: [kokiasg1], [], [], [], [], [], [],
[], [], [], [], []
进程 ID: 7976
会话 ID: 4 序列号: 3
至此数据库在这种坏块情况下,正常打开相当渺茫,因为报错的这些block 都是非常靠前的,也就是说这个里面很多块在数据库创建好的时候就已经在了(特别是通过模板创建的数据库,这些部分很可能都是固定的),考虑使用其他库的block来替代这些坏块,然后尝试打开库
修复坏块
[oracle@app101-20 ~]$ dd if=/Data/oracle/oradata/txlhdb/system01.dbf of=/tmp/1.dbf skip=4543 bs=8192 count=583 583+0 records in 583+0 records out 4775936 bytes (4.8 MB) copied, 0.0533578 s, 89.5 MB/s H:\oracle>dd if=d:/temp/1.dbf of=h:\oracle\system01.dbf seek=4543 bs=8192 count=583 conv=notrun rawwrite dd for windows version 0.6beta3. Written by John Newbigin <jn@it.swin.edu.au> This program is covered by terms of the GPL Version 2. notrun 583+0 records in 583+0 records out H:\oracle>dbv file=system01.dbf DBVERIFY: Release 11.2.0.4.0 - Production on 星期二 11月 22 20:17:51 2016 Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved. DBVERIFY - 开始验证: FILE = H:\ORACLE\SYSTEM01.DBF DBVERIFY - 验证完成 检查的页总数: 124160 处理的页总数 (数据): 90761 失败的页总数 (数据): 0 处理的页总数 (索引): 14479 失败的页总数 (索引): 0 处理的页总数 (其他): 3393 处理的总页数 (段) : 1 失败的总页数 (段) : 0 空的页总数: 15527 标记为损坏的总页数: 0 流入的页总数: 0 加密的总页数 : 0 最高块 SCN : 295310052 (11.295310052)
再次尝试打开数据库
C:\Users\XIFENFEI>sqlplus / as sysdba SQL*Plus: Release 11.2.0.4.0 Production on 星期二 11月 22 20:18:19 2016 Copyright (c) 1982, 2013, Oracle. All rights reserved. 已连接到空闲例程。 SQL> startup mount pfile='h:/oracle/pfile.txt'; ORACLE 例程已经启动。 Total System Global Area 2137886720 bytes Fixed Size 2282944 bytes Variable Size 520096320 bytes Database Buffers 1610612736 bytes Redo Buffers 4894720 bytes 数据库装载完毕。 SQL> recover database; 完成介质恢复。 SQL> alter database open; 数据库已更改。
后续错误ORA-04023处理
C:\Users\XIFENFEI>exp "'/ as sysdba'" owner=XIFENFEI file=d:/full_xff.dmp lo g=d:/full_xff.log FEEDBACK=10000 COMPRESS=NO BUFFER=102400000 STATISTICS=none Export: Release 11.2.0.4.0 - Production on 星期二 11月 22 20:20:27 2016 Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved. 连接到: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Produc tion With the Partitioning, OLAP, Data Mining and Real Application Testing options EXP-00056: 遇到 ORACLE 错误 4023 ORA-04023: 无法验证或授权对象 SELECT xdb_uid FROM SYS.EXU9XDBUID EXP-00000: 导出终止失败
数据库所有视图无法查询,通过直接对基表user$,obj$,view$等表查询出来视图信息,然后直接编译,然后数据可以完美导出,完成本次恢复
SQL> select 'alter view '||b.name||'.'||c.name||' compile;' 2 from view$ a,user$ b,obj$ c 3 where a.obj#=c.obj# 4 and c.owner#=b.user#;
解决CON$ ORA-600 kdsgrp1错误
数据库报ORA 600 kdsgrp1错误
数据库报ORA-00600: internal error code, arguments: [kdsgrp1], [], [], [], [], [], [], [], [], [], [], []错
Thread 1 advanced to log sequence 23861 (LGWR switch) Current log# 7 seq# 23861 mem# 0: /oradata/easdb/redo07.log Tue Nov 15 10:00:42 2016 Errors in file /u01/oracle/diag/rdbms/easdb/easdb/trace/easdb_dw00_3165.trc (incident=908262): ORA-00600: internal error code, arguments: [kdsgrp1], [], [], [], [], [], [], [], [], [], [], [] Incident details in: /u01/oracle/diag/rdbms/easdb/easdb/incident/incdir_908262/easdb_dw00_3165_i908262.trc Tue Nov 15 10:00:55 2016 Use ADRCI or Support Workbench to package the incident. See Note 411.1 at My Oracle Support for error and packaging details. Tue Nov 15 10:00:56 2016 Errors in file /u01/oracle/diag/rdbms/easdb/easdb/trace/easdb_dw00_3165.trc (incident=908263): ORA-00600: internal error code, arguments: [kdsgrp1], [], [], [], [], [], [], [], [], [], [], [] ORA-06512: at "SYS.KUPW$WORKER", line 1751 ORA-06512: at line 2 Incident details in: /u01/oracle/diag/rdbms/easdb/easdb/incident/incdir_908263/easdb_dw00_3165_i908263.trc Use ADRCI or Support Workbench to package the incident. See Note 411.1 at My Oracle Support for error and packaging details. DW00 terminating with fatal err=600, pid=40, wid=1, job SYSTEM. Tue Nov 15 10:01:01 2016 Thread 1 advanced to log sequence 23862 (LGWR switch) Current log# 2 seq# 23862 mem# 0: /oradata/easdb/redo02.log Tue Nov 15 10:01:23 2016 Errors in file /u01/oracle/diag/rdbms/easdb/easdb/trace/easdb_dm00_3163.trc (incident=908254): ORA-31671: Worker process DW00 had an unhandled exception. ORA-00600: internal error code, arguments: [kdsgrp1], [], [], [], [], [], [], [], [], [], [], [] ORA-06512: at "SYS.KUPW$WORKER", line 1751 ORA-06512: at line 2 Incident details in: /u01/oracle/diag/rdbms/easdb/easdb/incident/incdir_908254/easdb_dm00_3163_i908254.trc Use ADRCI or Support Workbench to package the incident. See Note 411.1 at My Oracle Support for error and packaging details. Tue Nov 15 10:01:26 2016 Tue Nov 15 10:01:28 2016 Thread 1 advanced to log sequence 23863 (LGWR switch) Current log# 4 seq# 23863 mem# 0: /oradata/easdb/redo04.log
trace文件中信息
*** 2016-11-15 10:00:35.977
* kdsgrp1-1: *************************************************
row 0x004459e6.26 continuation at
0x004459e6.26 file# 1 block# 285158 slot 38 not found
KDSTABN_GET: 0 ..... ntab: 1
curSlot: 38 ..... nrows: 208
kdsgrp - dump CR block dba=0x004459e6
Block header dump: 0x004459e6
Object id on Block? Y
seg/obj: 0x1c csc: 0x01.c712f743 itc: 3 flg: - typ: 1 - DATA
fsl: 0 fnx: 0x0 ver: 0x01
Itl Xid Uba Flag Lck Scn/Fsc
0x01 0x000b.015.0036d715 0x00c01bba.0fbd.02 C--- 0 scn 0x0001.c6b4cb1a
0x02 0x000c.004.00044d36 0x04c0dd93.3eec.33 C--- 0 scn 0x0001.c6d2c65b
0x03 0x000d.008.00008eb9 0x04c0777a.10e3.02 --U- 2 fsc 0x0056.c7346f21
确定报错对象和确认异常
SQL> select object_name from dba_objects where object_id=28;
OBJECT_NAME
---------------------------------------------------------
CON$
SQL> ANALYZE TABLE sys.CON$ VALIDATE STRUCTURE CASCADE online;
ANALYZE TABLE sys.CON$ VALIDATE STRUCTURE CASCADE online
*
ERROR at line 1:
ORA-01499: table/index cross reference failure - see trace file
SQL> SET LINES 122
SQL> COL INDEX_OWNER FOR A20
SQL> COL INDEX_NAME FOR A30
SQL> COL TABLE_OWNER FOR A20
SQL> COL COLUMN_NAME FOR A25
SQL> SELECT TABLE_OWNER,INDEX_NAME,COLUMN_NAME,COLUMN_POSITION
2 FROM Dba_Ind_Columns
3 WHERE table_name = upper('&TABLE_NAME') order by TABLE_OWNER,INDEX_OWNER,INDEX_NAME,COLUMN_POSITION;
Enter value for table_name: CON$
old 3: WHERE table_name = upper('&TABLE_NAME') order by TABLE_OWNER,INDEX_OWNER,INDEX_NAME,COLUMN_POSITION
new 3: WHERE table_name = upper('CON$') order by TABLE_OWNER,INDEX_OWNER,INDEX_NAME,COLUMN_POSITION
TABLE_OWNER INDEX_NAME COLUMN_NAME COLUMN_POSITION
-------------------- ------------------------------ ------------------------- ---------------
SYS I_CON1 OWNER# 1
SYS I_CON1 NAME 2
SYS I_CON2 CON# 1
SQL> select owner#,name from con$
2 minus
3 select /*+ full(t) */owner#,name from con$ t;
no rows selected
SQL> select /*+ full(t) */owner#,name from con$ t
2 minus
3 select owner#,name from con$ ;
no rows selected
SQL> select /*+ full(t) */ con# from con$ t
2 minus
3 select con# from con$ ;
no rows selected
SQL> select con# from con$
2 minus
3 select /*+ full(t) */ con# from con$ t ;
CON#
----------
1037224
1037225
1037386
1037387
1037388
……
1037846
62 rows selected.
通过上述分析,可以确定是由于CON$和I_CON2数据不一致,而且是index的数据比表中多了62条.针对这样情况,考虑通过重建index来解决.
尝试rebuild index
SQL> alter index I_CON2 rebuild online; alter index I_CON2 rebuild online * ERROR at line 1: ORA-00701: object necessary for warmstarting database cannot be altered SQL> SQL> SQL> SQL> SQL> shutdown immediate; Database closed. Database dismounted. ORACLE instance shut down. SQL> startup upgrade ORACLE instance started. Total System Global Area 2421825536 bytes Fixed Size 2215744 bytes Variable Size 1828716736 bytes Database Buffers 570425344 bytes Redo Buffers 20467712 bytes Database mounted. Database opened. SQL> alter index I_CON2 rebuild; alter index I_CON2 rebuild * ERROR at line 1: ORA-00701: object necessary for warmstarting database cannot be altered
因为是数据库核心index,无法直接rebuild解决,只能通过bootstrap$核心index(I_OBJ1,I_USER1,I_FILE#_BLOCK#,I_IND1,I_TS#,I_CDEF1等)异常恢复—ORA-00701错误解决 方式解决
plsql dev引起的数据库被黑勒索比特币实现原理分析和解决方案
数据库启动alert报错
Mon Jul 10 19:51:24 2016 Errors in file e:\app\administrator\diag\rdbms\zhxh\zhxh\trace\zhxh_ora_3584.trc: ORA-00604: 递归 SQL 级别 1 出现错误 ORA-20313: 你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 sqlrush@mail.com 我们将让你知道如何解锁你的数据库 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address sqlrush@mail.com, we will let you know how to unlock your database. ORA-06512: 在 "ZHXH.DBMS_SYSTEM_INTERNAL ", line 15 ORA-06512: 在 line 2 Mon Jul 10 19:51:30 2016 OER 7451 in Load Indicator : Error Code = OSD-04500: 指定了非法选项 O/S-Error: (OS 1) 函数不正确。 ! Mon Jul 10 19:51:34 2017 Errors in file e:\app\administrator\diag\rdbms\zhxh\zhxh\trace\zhxh_ora_824.trc: ORA-00604: 递归 SQL 级别 1 出现错误 ORA-20313: 你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 sqlrush@mail.com 我们将让你知道如何解锁你的数据库 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address sqlrush@mail.com, we will let you know how to unlock your database. ORA-06512: 在 "ZHXH.DBMS_SYSTEM_INTERNAL ", line 15 ORA-06512: 在 line 2
afterconnect.sql
是plsql dev登录后自动执行脚本,非Oralce官方脚本
数据库启动后执行触发器DBMS_SUPPORT_INTERNAL
DBMS_SUPPORT_INTERNAL主要的意义是:
1. 当数据库创建时间大于1200天之后,开始备份tab$表
2. 删除tab$中除掉owner#为0和38的记录(sys,xdb)
3. 通过SYS.DBMS_BACKUP_RESTORE.RESETCFILESECTION清理掉备份信息(v$controlfile_record_section)
4. 然后通过DBMS_SYSTEM.KSDWRT在你的alert日志中写上2046次的提示信息
Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address sqlrush@mail.com, we will let you know how to unlock your database.
你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 sqlrush@mail.com 我们将让你知道如何解锁你的数据库
5. 再抛出一个前台的和4类似的警告信息
数据库登录触发器DBMS_SYSTEM_INTERNAL
当你的非SYSTEM,SYSAUX,EXAMPLE之外的所有表的最小统计信息时间大于1200天,而且非C89239.EXE程序,就会报出来” 你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 sqlrush@mail.com 我们将让你知道如何解锁你的数据库 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE
(case sensitive), after that send your Oracle SID to mail address sqlrush@mail.com, we will let you know how to unlock your database.”的信息
数据库登录触发器DBMS_CORE_INTERNAL
这里比较明显,把表名不含$,不含ORACHK,不是cluster的表放到一个游标里面,然后取非SYSTEM,SYSAUX,EXAMPLE之外的表空间的表的最小统计信息收集时间和当前时间比较如果大于1200天就执行truncate table操作,操作完成之后判断如果登录程序不为C89239.EXE,则报出来异常,” 你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 sqlrush@mail.com 我们将让你知道如何解锁你的数据库 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE
(case sensitive), after that send your Oracle SID to mail address sqlrush@mail.com, we will let you know how to unlock your database.”。
对于这次故障处理方法
1. 如果SELECT NVL(TO_CHAR(SYSDATE-MIN(LAST_ANALYZED)),0) FROM ALL_TABLES WHERE TABLESPACE_NAME NOT IN (‘SYSTEM’,’SYSAUX’,’EXAMPLE’); 小于1200,查询下列语句,然后删除掉(正常库查询为空)
2. 如果SYSDATE-MIN(LAST_ANALYZED)大于1200, SYSDATE-CREATED大于1200天未重启,或者SYSDATE-CREATED小于1200;就是tab$还未被清理,但是表被truncate,这样情况可以通过oracle原厂dul工具恢复
3. 如果SYSDATE-CREATED大于1200天,而且数据库重启过,但是SYSDATE-MIN(LAST_ANALYZED)小于1200天,那可以直接通过把ORACHK’||SUBSTR(SYS_GUID,10)中备份信息插入到$tab中
4. SYSDATE-CREATED大于1200天,而且数据库重启过,但是SYSDATE-MIN(LAST_ANALYZED)大于1200天,Oracle 原厂dul之类工具结合ORACHK’||SUBSTR(SYS_GUID,10)备份表中数据进行恢复
预防策略
1)数据库里面查询下,如果有这些对象,及时给与清理(注意% ‘中间有空格)
select 'DROP TRIGGER '||owner||'."'||TRIGGER_NAME||'";' from dba_triggers where TRIGGER_NAME like 'DBMS_%_INTERNAL% ' union all select 'DROP PROCEDURE '||owner||'."'||a.object_name||'";' from dba_procedures a where a.object_name like 'DBMS_%_INTERNAL% '; --注意% '之间的空格
2)建议业务用户尽量限制dba 权限
3)检查相关登陆工具的自动运行脚本 清理掉有风险脚本
sqlplus中的glogin.sql/login.sql
toad中的toad.ini
plsql dev中的login.sql/afterconnect.sql
4)建议从官方下载工具,不要使用绿色版/破解版等
如果不幸数据库被感染此种勒索比特币事件,而且无法自行恢复的,可以联系我们给予技术支持
Phone:17813235971 Q Q:107644445
E-Mail:dba@xifenfei.com