.eking加密数据库恢复

接到一个客户的oracle数据文件被加密的恢复请求,文件被加密为扩展名为:.id[76B8C076-3009].[decrypt20@firemail.cc].eking,通过底层分析,确认该文件被加密破坏较少
20211124155338


通过自研的工具对数据文件进行恢复
20211124154524

实现数据库正常open,并使用exp进行导出
20211124161434

如果此类的数据库(oracle,mysql,sql server)等被加密,需要专业恢复技术支持,请联系我们:
电话/微信:17813235971    Q Q:107644445QQ咨询惜分飞    E-Mail:dba@xifenfei.com

发表在 勒索恢复 | 标签为 , , , , | 评论关闭

19c sqlplus / as sysdba 登录慢分析

sqlplus / as sysdba登录非常慢

[oracle@xifenfei trace]$ date
Fri Oct 29 00:04:27 CST 2021
[oracle@xifenfei trace]$ sqlplus / as sysdba<< EOF
> exit;
> EOF

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Oct 29 00:04:28 2021
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.



Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

SQL> Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
[oracle@xifenfei trace]$ date
Fri Oct 29 00:04:49 CST 2021

sqlpus 一个简单的登录+退出使用了22秒,严重的慢,通过strace分析发现访问以下两个ip,但是10.11.0.41非常慢,10.13.0.41很快,并且通过一些信息53端口,判断可能是dns服务器的ip

connect(9, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("10.13.0.41")}, 16) = 0

connect(12, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("10.11.0.41")}, 16) = 0

进一步确认,确认是该服务器配置的dns服务器

[root@xifenfei ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.13.0.41
nameserver 10.11.0.41

对这两个ip的连通性进行测试

[root@xifenfei ~]# ping 10.13.0.41
PING 10.13.0.41 (10.13.0.41) 56(84) bytes of data.
64 bytes from 10.13.0.41: icmp_seq=1 ttl=126 time=0.616 ms
^C
--- 10.13.0.41 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.616/0.616/0.616/0.000 ms
[root@xifenfei ~]# ping  10.11.0.41
PING 10.11.0.41 (10.11.0.41) 56(84) bytes of data.
^C
--- 10.11.0.41 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2063ms

[root@xifenfei ~]# 

确认10.11.0.41 ip不通,对于此类问题最快的解决方案就是除掉不可使用的dns服务器,然后测试登录和退出时间

[oracle@xifenfei trace]$ date
Fri Oct 29 00:21:12 CST 2021
[oracle@xifenfei trace]$ sqlplus / as sysdba<< EOF
> exit;
> EOF

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Oct 29 00:21:12 2021
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

date

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

SQL> Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
[oracle@xifenfei trace]$ date
Fri Oct 29 00:21:13 CST 2021

通过除掉不可用的dns服务器ip之后,测试时间为1s,恢复正常

发表在 ORACLE 19C | 标签为 , | 评论关闭

最近几种勒索病毒加密数据库可完美恢复

最近有一些朋友咨询了几种oracle数据库被加密的勒索病毒,我们都可以通过工具修复实现数据库直接open,数据使用exp/expdp导出,实现数据近似完美恢复,业务直接测试正常,远比各种工具直接导出数据效果要好很多.比如以下几种:
.id[A6B00388-2930].[Ransomwaree2020@cock.li].eking
20211026231753


.id[BCD26C0D-3009].[decrypt20@firemail.cc].eking
20211026232009

.hospitalhelper.17E-D66-320
20211026232144

对于类似这些病毒,我们可以通过工具修复实现数据库直接open
20211026231633

如果此类的数据库(oracle,mysql,sql server)等被加密,需要专业恢复技术支持,请联系我们:
电话/微信:17813235971    Q Q:107644445QQ咨询惜分飞    E-Mail:dba@xifenfei.com

发表在 勒索恢复 | 标签为 , , , , , | 评论关闭