标签云
asm 恢复 asm恢复 bbed bootstrap$ dul In Memory kcbzib_kcrsds_1 kccpb_sanity_check_2 kfed MySQL恢复 ORA-00312 ORA-00607 ORA-00704 ORA-01110 ORA-01555 ORA-01578 ORA-08103 ORA-600 2662 ORA-600 2663 ORA-600 3020 ORA-600 4000 ORA-600 4137 ORA-600 4193 ORA-600 4194 ORA-600 16703 ORA-600 kcbzib_kcrsds_1 ORA-600 KCLCHKBLK_4 ORA-15042 ORA-15196 ORACLE 12C oracle dul ORACLE PATCH Oracle Recovery Tools oracle加密恢复 oracle勒索 oracle勒索恢复 oracle异常恢复 ORACLE恢复 Oracle 恢复 ORACLE数据库恢复 oracle 比特币 OSD-04016 YOUR FILES ARE ENCRYPTED 勒索恢复 比特币加密文章分类
- Others (2)
- 中间件 (2)
- WebLogic (2)
- 操作系统 (100)
- 数据库 (1,598)
- DB2 (22)
- MySQL (70)
- Oracle (1,463)
- Data Guard (49)
- EXADATA (7)
- GoldenGate (21)
- ORA-xxxxx (158)
- ORACLE 12C (72)
- ORACLE 18C (6)
- ORACLE 19C (13)
- ORACLE 21C (3)
- Oracle ASM (65)
- Oracle Bug (7)
- Oracle RAC (47)
- Oracle 安全 (6)
- Oracle 开发 (27)
- Oracle 监听 (27)
- Oracle备份恢复 (530)
- Oracle安装升级 (84)
- Oracle性能优化 (62)
- 专题索引 (5)
- 勒索恢复 (75)
- PostgreSQL (18)
- PostgreSQL恢复 (6)
- SQL Server (27)
- SQL Server恢复 (8)
- TimesTen (7)
- 达梦数据库 (2)
- 生活娱乐 (2)
- 至理名言 (11)
- 虚拟化 (2)
- VMware (2)
- 软件开发 (36)
- Asp.Net (9)
- JavaScript (12)
- PHP (2)
- 小工具 (19)
-
最近发表
- PostgreSQL解析wal日志之—walminer
- Oracle 19c/21c最新patch信息-202404
- PostgreSQL恢复系列:pg_filedump批量处理
- PostgreSQL部分主要字典信息
- PostgreSQL恢复系列:pg_filedump恢复字典构造
- PostgreSQL 16 源码安装
- ORA-00742 ORA-00312 恢复
- 数据库open成功后报ORA-00353 ORA-00354错误引起的一系列问题(本质ntfs文件系统异常)
- ORA-600 ktsiseginfo1故障
- ORA-00600: internal error code, arguments: [16703], [1403], [4] 原因
- 最近遇到几起ORA-600 16703故障(tab$被清空),请引起重视
- ORA-600 2662快速恢复之Patch scn工具
- TNS-12518: TNS:listener could not hand off client connection
- ora.storage无法启动报ORA-12514故障处理
- 断电引起文件scn异常数据库恢复
- ORA-16188: LOG_ARCHIVE_CONFIG settings inconsistent with previously started instance
- .[hudsonL@cock.li].mkp勒索加密数据库完美恢复
- 模拟带库实现rman远程备份
- 又一例:ORA-600 kclchkblk_4和2662故障
- Oracle误删除数据文件恢复
月归档:一月 2020
再次提醒plsql dev勒索事件
在2016年发现plsql dev被注入恶意脚本,导致数据库被破坏的事件,我当时写过相关分析blog(plsql dev引起的数据库被黑勒索比特币实现原理分析和解决方案),最近又接到两个客户类似故障请求,分享这次处理经历,提醒大家注意
aler日志报错
Mon Oct 21 16:13:06 2019 Errors in file /u01/app/oracle/diag/rdbms/xff/xff1/trace/xff1_ora_68593.trc: ORA-00604: error occurred at recursive SQL level 1 ORA-20315: 你的数据库已被SQL RUSH Team锁死 发送5个比特币到这个地址 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (大小写一致) 之后把你的Oracle SID邮寄地址 sqlrush@mail.com 我们将让你知道如何解锁你的数据库 Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address sqlrush@mail.com, we will let you know how to unlock your database. ORA-06512: at "XIFENFEI.DBMS_CORE_INTERNAL ", line 25 ORA-06512: at line 2
证明该库在2019年10月份就已经被注入恶意脚本,只是由于该库无专业维护,没有定期检查,不然该问题再就被发现.直到前几天有数据丢失影响业务运行,才开始找原因,发现该问题.
查询相关恶意脚本创建时间
SQL> select owner||'.'||object_name,to_char(created,'yyyy-mm-dd hh24:mi:ss') 2 from dba_objects where object_name like 'DBMS_%_INTERNAL% '; OWNER||'.'||OBJECT_NAME ----------------------------------------------- TO_CHAR(CREATED,'YY ------------------- XFF.DBMS_SUPPORT_INTERNAL 2019-11-19 11:29:38 XFF.DBMS_SUPPORT_INTERNAL 2019-11-19 11:29:38 XFF.DBMS_SYSTEM_INTERNAL 2019-11-19 11:29:39 XFF.DBMS_SYSTEM_INTERNAL 2019-11-19 11:29:39 XFF.DBMS_CORE_INTERNAL 2019-11-19 11:29:39 XFF.DBMS_CORE_INTERNAL 2019-11-19 11:29:39 XIFENFEI.DBMS_SUPPORT_INTERNAL 2019-10-21 15:49:06 XIFENFEI.DBMS_SUPPORT_INTERNAL 2019-10-21 15:49:06 XIFENFEI.DBMS_SYSTEM_INTERNAL 2019-10-21 15:49:06 XIFENFEI.DBMS_SYSTEM_INTERNAL 2019-10-21 15:49:06 XIFENFEI.DBMS_CORE_INTERNAL 2019-10-21 15:49:06 XIFENFEI.DBMS_CORE_INTERNAL 2019-10-21 15:49:06 12 rows selected.
证明在xifenfei和xff用户下面均已经被注入了恶意脚本(也可以通过alert日志分析出来类似结论)
生产truncate表job
SQL> select count(*) from dba_jobs; COUNT(*) ---------- 50283485 SQL> select count(job) from dba_jobs where what like '%DBMS_STANDARD_FUN9%'; 2 COUNT(JOB) ---------- 50283483
证明该库本身自带job只有2个,剩余全部是恶意脚本生成的job.
处理思路
1.保护现场:停掉监听,kill所有业务会话
2.job处理:禁止数据库启动任何job,kill已经启动job,清除异常job
begin for i in (select job from dba_jobs where what like '%DBMS_STANDARD_FUN9%' ) loop dbms_ijob.remove(i.job); commit; end loop; end; /
3. 清理恶意脚本
select 'DROP TRIGGER '||owner||'."'||TRIGGER_NAME||'";' from dba_triggers where TRIGGER_NAME like 'DBMS_%_INTERNAL% ' union all select 'DROP PROCEDURE '||owner||'."'||a.object_name||'";' from dba_procedures a where a.object_name like 'DBMS_%_INTERNAL% ';
4.分析异常表:通过查询相关视图和业务数据,分析哪些表异常,需要对其进行数据恢复(一定要确认恢复数据ok之后才能够导入,不然可能导致原环境破坏,彻底无法恢复)
再次提醒检查plsql dev工具的afterconnect.sql脚本,请从正规途径下载oracle工具和软件(警告:互联网中有oracle介质被注入恶意程序导致—ORA-600 16703)如果不幸数据库被感染此种勒索比特币事件,而且无法自行恢复的,可以联系我们给予技术支持
Phone:17813235971 Q Q:107644445 E-Mail:dba@xifenfei.com
oracle to sql 透明网络配置
一直比较抵触oracle 透明网关,最近有朋友说他们客户坚持要使用这个(不想修改程序),无奈之下进行了配置.
透明网关需求
Oracle透明网关链接sqlserver
Oracle:
OS:Red Hat Enterprise Linux Server release 6.8
DB:Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 – 64bit
Ip:192.168.222.11
Sqlserver
OS:windows server 2003 x86
DB:sqlserver2005
IP:192.168.222.1
实例名称:MSSQLSERVER
指向的DB:xifenfei
安装 Gateway软件
使用oracle用户安装,并且使用空目录(不建议使用oracle_home目录)
配置oracle_base和oracle_home
ORACLE_BASE=/u01/app/oracle
ORACLE_HOME=/u01/app/oracle/product/11.2.0/wangguan
配置Gateway数据库连接信息
[oracle@ora11g admin]$ pwd /u01/app/oracle/product/11.2.0/wangguan/dg4msql/admin [oracle@ora11g admin]$ cat initdg4msql.ora # This is a customized agent init file that contains the HS parameters # that are needed for the Database Gateway for Microsoft SQL Server # # HS init parameters # HS_FDS_CONNECT_INFO=[192.168.222.1]:1433//xifenfei # alternate connect format is hostname/serverinstance/databasename HS_FDS_TRACE_LEVEL=OFF HS_FDS_RECOVERY_ACCOUNT=RECOVER HS_FDS_RECOVERY_PWD=RECOVER
配置Gateway监听配置
[oracle@ora11g admin]$ pwd /u01/app/oracle/product/11.2.0/wangguan/network/admin [oracle@ora11g admin]$ cat listener.ora # Generated by Oracle configuration tools. LISTENERSQL = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = ora11g)(PORT = 1522)) (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1522)) ) ) SID_LIST_LISTENERSQL = (SID_LIST = (SID_DESC= (SID_NAME = dg4msql) (ORACLE_HOME = /u01/app/oracle/product/11.2.0/wangguan) (PROGRAM = dg4msql) ) ) ADR_BASE_LISTENERSQL = /u01/app/oracle
配置Gateway tns信息
在oracle数据库的oracle_home中配置,如果有设置tns_admin,在该目录下处理
[oracle@ora11g admin]$ pwd /u01/app/oracle/product/11.2.0/db_1/network/admin [oracle@ora11g admin]$ cat tnsnames.ora # Generated by Oracle configuration tools. tomssql = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.222.11)(PORT = 1522)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = dg4msql) ) (HS = OK) ) [oracle@ora11g admin]$ tnsping tomssql TNS Ping Utility for Linux: Version 11.2.0.4.0 - Production on 09-JAN-2020 09:10:06 Copyright (c) 1997, 2013, Oracle. All rights reserved. Used parameter files: /u01/app/oracle/product/11.2.0/db_1/network/admin/sqlnet.ora Used TNSNAMES adapter to resolve the alias Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.222.11)(PORT = 1522)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = dg4msql)) (HS = OK)) OK (20 msec)
创建dblink to sql
SQL> create public database link to_sql2012 connect to sa identified by "sa" using 'tomssql'; Database link created.
oracle 通过gateway查询
至此oracle to sql server Gateway 配置成功.如果需要配置多个$ORACLE_HOME/dg4msql/admin/init网关SID.ora文件并新增多个静态监听和tns指向网关SID即可
ORACLE中比较常见的一些错误的解释
ORA-1578 | ORA-1578 The data block indicated was corrupt. This was a physical corruption, also called a media corruption. The cause is unknown but is most likely external to the database. If ORA-26040 is also signaled, the corruption is due to NOLOGGING or UNRECOVERABLE operations. |
ORA-1410 | This error is raised when an operation refers to a ROWID in a table for which there is no such row. The reference to a ROWID may be implicit from a WHERE CURRENT OF clause or directly from a WHERE ROWID=… clause. ORA-1410 indicates the ROWID is for a BLOCK that is not part of this table. |
ORA-8103 | The object has been deleted by another user since the operation began; example: another session truncated or dropped the segment while the SQL statement was still active. If the error is reproducible, following may be the reasons: a.) The header block has an invalid block type. b.) The data_object_id (seg/obj) stored in the block is different than the data_object_id stored in the segment header. See dba_objects.data_object_id and compare it to the decimal value stored in the block (field seg/obj). |
ORA-8102 | An ORA-08102 indicates that there is a mismatch between the key(s) stored in the index and the values stored in the table. What typically happens is the index is built and at some future time, some type of corruption occurs, either in the table or index, to cause the mismatch. |
ORA-1498 | Generally this is a result of an ANALYZE … VALIDATE … command. This error generally manifests itself when there is inconsistency in the data/Index block. Some of the block check errors that may be found:- a.) Row locked by a non-existent transaction b.) The amount of space used is not equal to block size c.) Transaction header lock count mismatch. While support are processing the tracefile it may be worth the re-running the ANALYZE after restarting the database to help show if the corruption is consistent or if it ‘moves’. Send the tracefile to support for analysis. If the ANALYZE was against an index you should check the whole object. Eg: Find the tablename and execute: ANALYZE TABLE xxx VALIDATE STRUCTURE CASCADE; |
ORA-1499 | An error occurred when validating an index or a table using the ANALYZE command. One or more entries does not point to the appropriate cross-reference. |
ORA-752 | Media recovery detected a lost write of a data block. A data block write to storage was lost during normal database operation on the primary database. |
ORA-26040 | Trying to access data in block that was loaded without redo generation using the NOLOGGING/UNRECOVERABLE option. This Error raises always together with ORA-1578 |
ORA-600 [12700] | Oracle is trying to access a row using its ROWID, which has been obtained from an index. A mismatch was found between the index rowid and the data block it is pointing to. The rowid points to a non-existent row in the data block. The corruption can be in data and/or index blocks. ORA-600 [12700] can also be reported due to a consistent read (CR) problem. |
ORA-600 [3020] | This is called a ‘STUCK RECOVERY’. There is an inconsistency between the information stored in the redo and the information stored in a database block being recovered.This error indicates a lost write or a lost change in the database |
ORA-600 [4194] | A mismatch has been detected between Redo records and rollback (Undo) records. Oracle is validating the Undo record number relating to the change being applied against the maximum undo record number recorded in the undo block. This error is reported when the validation fails. |
ORA-600 [4193] | A mismatch has been detected between Redo records and Rollback (Undo) records. Oracle is validating the Undo block sequence number in the undo block against the Redo block sequence number relating to the change being applied. This error is reported when this validation fails. |
ORA-600 [4137] | While backing out an undo record (i.e. at the time of rollback) Oracle found a transaction id mismatch indicating either a corruption in the rollback segment or corruption in an object which the rollback segment is trying to apply undo records on. This would indicate a corrupted rollback segment. |
ORA-600 [6101] | Not enough free space was found when inserting a row into an index leaf block during the application of undo. |
ORA-600 [2103] | Oracle is attempting to read or update a generic entry in the control file. If the entry number is invalid, ORA-600 [2130] is logged. |
ORA-600 [4512] | Oracle is checking the status of transaction locks within a block. If the lock number is greater than the number of lock entries, ORA-600 [4512] is reported followed by a stack trace, process state and block dump. This error possibly indicates a block corruption. |
ORA-600 [2662] | A data block SCN is ahead of the current SCN. The ORA-600 [2662] occurs when an SCN is compared to the dependent SCN identified by the process that is normally close to the database scn. If the SCN is less than the dependent SCN then ORA-600 [2662] is signaled. |
ORA-600 [4097] | Oracle is accessing a rollback segment header to review if a transaction has been committed. However, the xid given is in the future of the transaction table. This could be due to a rollback segment corruption issue. |
ORA-600 [4000] | It means that Oracle has tried to find an undo segment number in the data dictionary and this undo segment number was not found. |
ORA-600 [6006] | Oracle is undoing an index leaf key operation. If the key is not found, ORA-00600 [6006] is logged. ORA-600[6006] is usually caused by a media corruption problem related to either a lost write to disk or a corruption on disk. |
ORA-600 [4552] | This assertion is raised because Oracle is trying to unlock the rows in a block, but receive an incorrect block type. The second argument is the block type received. |
ORA-600[6856] | Oracle is checking that the row slot that is about to be freed is not already on the free list. This internal error is raised when this check fails. |
ORA-600[13011] | During a delete operation Oracle is deleting from a view via an instead-of trigger or an Index organized table and have exceeded a 5000 pass count |
ORA-600[13013] | During the execution of an UPDATE statement, after several attempts (Arg [a] passcount) Oracle is unable to get a stable set of rows that conform to the WHERE clause. |
ORA-600[13030] | |
ORA-600[25012] | Oracle is trying to generate the absolute file number given a tablespace number and relative file number and cannot find a matching file number or the file number is zero. |
ORA-600[25026] | Looking up/checking a tablespace invalid tablespace ID and/or rdba found |
ORA-600[25027] | Invalid tsn and/or rfn found |
ORA-600 [kcbz_check_objd_typ_3] | An object block buffer in memory is checked and is found to have the wrong object id. This is most likely due to corruption. |
ORA-600[kddummy_blkchk] ORA-600[kdblkcheckerror] | ORA-600 [kddummy_blkchk] is for 10g and ORA-600[kdblkcheckerror] for 11g onward. This error reports a Logical Block Corruption |
ORA-600[ktadrprc-1] | Orphan segment or invalid rdba in Index,Table,Partition etc. Example: An entry in sys.ind$ does not exist in sys.seg$Note 136697.1 : “hcheck.sql” Script to Check for Known Problems in Oracle8i, Oracle9i, Oracle10g, Oracle 11g and Oracle 12c |
ORA-600[ktsircinfo_num1] | This exception occurs when there are problems obtaining the row cache information correctly from sys.seg$. In most cases there is no information in sys.seg$.Note 136697.1 : “hcheck.sql” Script to Check for Known Problems in Oracle8i, Oracle9i, Oracle10g, Oracle 11g and Oracle 12c |
ORA-600[qertbfetchbyrowid] | This error might be that a row was not found in an Index. Perform the check in section “Identify TABLE / INDEX Mismatch” in:Note 836658.1 : Identify the Corruption Extension for Block Corruption, Table/Index Inconsistency, Data Dictionary and Lost Writes |
ORA-600[ktbdchk1-bad dscn] | This exception is raised when Oracle is performing a sanity check on the dependent SCN and fail. The dependent scn is greater than the current scn. |
因为篇章问题,无法详细描述,如果需要深入了解的,可以单独进行沟通
发表在 Oracle
评论关闭