接到一个客户的oracle数据文件被加密的恢复请求,文件被加密为扩展名为:.id[76B8C076-3009].[decrypt20@firemail.cc].eking,通过底层分析,确认该文件被加密破坏较少
通过自研的工具对数据文件进行恢复

实现数据库正常open,并使用exp进行导出

如果此类的数据库(oracle,mysql,sql server)等被加密,需要专业恢复技术支持,请联系我们:
电话/微信:17813235971 Q Q:107644445

sqlplus / as sysdba登录非常慢
[oracle@xifenfei trace]$ date Fri Oct 29 00:04:27 CST 2021 [oracle@xifenfei trace]$ sqlplus / as sysdba<< EOF > exit; > EOF SQL*Plus: Release 19.0.0.0.0 - Production on Fri Oct 29 00:04:28 2021 Version 19.3.0.0.0 Copyright (c) 1982, 2019, Oracle. All rights reserved. Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Version 19.3.0.0.0 SQL> Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Version 19.3.0.0.0 [oracle@xifenfei trace]$ date Fri Oct 29 00:04:49 CST 2021
sqlpus 一个简单的登录+退出使用了22秒,严重的慢,通过strace分析发现访问以下两个ip,但是10.11.0.41非常慢,10.13.0.41很快,并且通过一些信息53端口,判断可能是dns服务器的ip
connect(9, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("10.13.0.41")}, 16) = 0 connect(12, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("10.11.0.41")}, 16) = 0
进一步确认,确认是该服务器配置的dns服务器
[root@xifenfei ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 10.13.0.41 nameserver 10.11.0.41
对这两个ip的连通性进行测试
[root@xifenfei ~]# ping 10.13.0.41 PING 10.13.0.41 (10.13.0.41) 56(84) bytes of data. 64 bytes from 10.13.0.41: icmp_seq=1 ttl=126 time=0.616 ms ^C --- 10.13.0.41 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.616/0.616/0.616/0.000 ms [root@xifenfei ~]# ping 10.11.0.41 PING 10.11.0.41 (10.11.0.41) 56(84) bytes of data. ^C --- 10.11.0.41 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2063ms [root@xifenfei ~]#
确认10.11.0.41 ip不通,对于此类问题最快的解决方案就是除掉不可使用的dns服务器,然后测试登录和退出时间
[oracle@xifenfei trace]$ date Fri Oct 29 00:21:12 CST 2021 [oracle@xifenfei trace]$ sqlplus / as sysdba<< EOF > exit; > EOF SQL*Plus: Release 19.0.0.0.0 - Production on Fri Oct 29 00:21:12 2021 Version 19.3.0.0.0 Copyright (c) 1982, 2019, Oracle. All rights reserved. date Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Version 19.3.0.0.0 SQL> Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Version 19.3.0.0.0 [oracle@xifenfei trace]$ date Fri Oct 29 00:21:13 CST 2021
通过除掉不可用的dns服务器ip之后,测试时间为1s,恢复正常
最近有一些朋友咨询了几种oracle数据库被加密的勒索病毒,我们都可以通过工具修复实现数据库直接open,数据使用exp/expdp导出,实现数据近似完美恢复,业务直接测试正常,远比各种工具直接导出数据效果要好很多.比如以下几种:
.id[A6B00388-2930].[Ransomwaree2020@cock.li].eking
17813235971 |
QQ 咨询 |