作者归档:惜分飞

Avaddon勒索病毒数据库恢复

接到朋友一个oracle数据库被加密的恢复请求,被加密文件为:
20210505193114


read.txt文件中信息

-------===    Your network has been infected!    ===-------





*****************DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED*****************





All your documents, photos, databases and other important 

files have been encrypted and have the extension: .BCdadccBEA



You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!



The only way to restore your files is to buy our special software. 
Only we can give you this software and only we can restore your files!



We have also downloaded a lot of private data from your network.

If you do not contact as in a 3 days we will post information about your breach 
on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.



You can get more information on our page, which is located in a Tor hidden network.





How to get to our page

--------------------------------------------------------------------------------

|

|  1. Download Tor browser - https://www.torproject.org/

|

|  2. Install Tor browser

|

|  3. Open link in Tor browser - avaddonbotrxmuyl.onion

|

|  4. Follow the instructions on this page

|

--------------------------------------------------------------------------------



Your ID:

--------------------------------------------------------------------------------



MjQ4Ni1VeE5hL2hSVzJVeXU0Wm1CeHhhdDFLUDVGWTlqMnJFekZlczd3NlVFdnBROHYz…………



--------------------------------------------------------------------------------



* DO NOT TRY TO RECOVER FILES YOURSELF!



* DO NOT MODIFY ENCRYPTED FILES!



* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *

YHSKC2aqLa0A1xzn

通过底层分析坏块情况,确认只是对文件头的127个block进行了破坏
20210505192823
由于客户是10g的版本,无法实现直接open库,然后expdp/exp导出数据.通过底层技术,直接恢复数据到新库,然后处理非表数据(index,view,proc,sequence等),实现最大限度恢复客户数据,最大程度减少客户整合数据的工作量
20210505194153


如果此类的数据库文件(oracle,mysql,sql server)等被加密,需要专业恢复技术支持,请联系我们:
电话/微信:13429648788    Q Q:107644445QQ咨询惜分飞    E-Mail:dba@xifenfei.com

发表在 勒索恢复 | 标签为 , , , | 留下评论

expdp报ORA-39064 ORA-29285错误

expdp导出数据,报错ORA-39064 ORA-29285错误,导致datapump的logfile记录的日志不全

. . 导出了 "HCP"."HR_ADJ_SAL_ADV_SETUP_M"                  0 KB       0 行
ORA-39064: 无法写入日志文件
ORA-29285: 文件写入错误
. . 导出了 "HCP"."HR_ADJ_SAL_CONFIRM"                      0 KB       0 行

查询数据库NLS_CHARACTERSET

SQL> select NAME, value$ from props$ where name like 'NLS_CHARACTERSET';

NAME
------------------------------
VALUE$
--------------------------------------------------------------------------------
NLS_CHARACTERSET
UTF8

查看客户端字符集


SQL> select userenv('language') from dual;

USERENV('LANGUAGE')
--------------------------------------------------------------------------------
SIMPLIFIED CHINESE_CHINA.ZHS16GBK

出现这个问题,是由于expdp本身调用UTL_FILE,在Oracle Database PL/SQL Packages and Types Reference中有When data encoded in one character set is read and Globalization Support is told (such as by means of NLS_LANG) that it is encoded in another character set, the result is indeterminate. If NLS_LANG is set, it should be the same as the database character set.
基于这样的情况,通过设置NLS_LANG在客户端字符集和服务端一致,就不会出现该问题

发表在 逻辑备份/恢复 | 标签为 , , | 留下评论

ora-600 2662和ora-600 kclchkblk_4恢复

这两天连续处理两个case,一个是12.1.0.2版本数据库屏蔽一致性,强制open之后,报ORA-600 2662故障
20210429220218


这个错误本身是一个非常常见的错误,直接推scn即可解决,但是问题是12.1.0.2版本,oracle不允许以前常规的操作方法,就连oradebug都报错oradebug poke ORA-32521/ORA-32519故障解决,而且可以是rac环境,bbed修改文件头也相当麻烦,最后我们使用patch方法轻松解决

另外一例是11.2.0.4版本,强制open库报ora-600 kclchkblk_4

Wed Apr 28 21:25:38 2021
SMON: enabling cache recovery
Instance recovery: looking for dead threads
Instance recovery: lock domain invalid but no dead threads
Errors in file /u01/app/oracle/diag/rdbms/dc/dc1/trace/dc1_ora_27832.trc  (incident=564430):
ORA-00600: internal error code, arguments: [kclchkblk_4], [2959], [904341694], [2959], [904131717], []
Incident details in: /u01/app/oracle/diag/rdbms/dc/dc1/incident/incdir_564430/dc1_ora_27832_i564430.trc
Use ADRCI or Support Workbench to package the incident.
See Note 411.1 at My Oracle Support for error and packaging details.
Errors in file /u01/app/oracle/diag/rdbms/dc/dc1/trace/dc1_ora_27832.trc:
ORA-00704: bootstrap process failure
ORA-00704: bootstrap process failure
ORA-00600: internal error code, arguments: [kclchkblk_4], [2959], [904341694], [2959], [904131717], []
Errors in file /u01/app/oracle/diag/rdbms/dc/dc1/trace/dc1_ora_27832.trc:
ORA-00704: bootstrap process failure
ORA-00704: bootstrap process failure
ORA-00600: internal error code, arguments: [kclchkblk_4], [2959], [904341694], [2959], [904131717], []
Error 704 happened during db open, shutting down database
USER (ospid: 27832): terminating the instance due to error 704
Instance terminated by USER, pid = 27832
ORA-1092 signalled during: alter database open resetlogs...

这个比较简单,参考redo异常 ORA-600 kclchkblk_4 故障恢复.

发表在 Oracle | 标签为 , , , | 留下评论