标签归档:oracle勒索

.pzpq扩展名勒索恢复

发表于 2025 年 1 月 13 日 惜分飞

有一个10g的库,数据库被勒索病毒加密扩展名为:.email=[biobiorans@gmail.com]id=[f5657ac3dc58dc8c].biobio.[backups@airmail.cc].pzpq
pzpq

#Read-for-recovery.txt文件中内容

Email 1: 
backups@airmail.cc

Email 2: 
hero77@cock.li

Send messages to both emails at the same time 

So send messages to our emails, check your spam folder every few hours 

ID: E3DxxxxxxxxxxxxxxxDBB73

If you do not receive a response from us after 24 hours, create a valid email, for example, gmail,outlook 
Then send us a message with a new email

通过底层对数据库block进行分析,确认损坏的block情况为,头部损坏16个block,中间16个block,尾部16个block
QQ20250113-214706

通过Oracle数据文件勒索加密恢复工具,实现快速恢复
QQ20250113-220625
然后尝试打开数据库报ORA-600 4193错误

un Jan 12 22:35:09 2025
ALTER DATABASE OPEN
Sun Jan 12 22:35:10 2025
Thread 1 opened at log sequence 4
  Current log# 3 seq# 4 mem# 0: D:\ORCL\REDO03.LOG
Successful open of redo thread 1
Sun Jan 12 22:35:10 2025
MTTR advisory is disabled because FAST_START_MTTR_TARGET is not set
Sun Jan 12 22:35:10 2025
SMON: enabling cache recovery
Sun Jan 12 22:35:10 2025
Errors in file d:\oracle\product\10.2.0.3\admin\orcl\udump\norcl_ora_2796.trc:
ORA-00600: internal error code, arguments: [4193], [58], [52], [], [], [], [], []

Sun Jan 12 22:35:11 2025
Doing block recovery for file 1 block 404
Block recovery from logseq 4, block 73424 to scn 137439548723
Sun Jan 12 22:35:11 2025
Recovery of Online Redo Log: Thread 1 Group 3 Seq 4 Reading mem 0
  Mem# 0: D:\ORCL\REDO03.LOG
Block recovery stopped at EOT rba 4.73426.16
Block recovery completed at rba 4.73426.16, scn 32.595250
Doing block recovery for file 1 block 9
Block recovery from logseq 4, block 73424 to scn 137439548721
Sun Jan 12 22:35:11 2025
Recovery of Online Redo Log: Thread 1 Group 3 Seq 4 Reading mem 0
  Mem# 0: D:\ORCL\REDO03.LOG
Block recovery completed at rba 4.73426.16, scn 32.595250
Sun Jan 12 22:35:11 2025
Errors in file d:\oracle\product\10.2.0.3\admin\orcl\udump\norcl_ora_2796.trc:
ORA-00604: error occurred at recursive SQL level 1
ORA-00607: Internal error occurred while making a change to a data block
ORA-00600: internal error code, arguments: [4193], [58], [52], [], [], [], [], []

Error 604 happened during db open, shutting down database
USER: terminating instance due to error 604
Sun Jan 12 22:35:11 2025
Errors in file d:\oracle\product\10.2.0.3\admin\orcl\bdump\norcl_pmon_2168.trc:
ORA-00604: error occurred at recursive SQL level 

Sun Jan 12 22:35:12 2025
Errors in file d:\oracle\product\10.2.0.3\admin\orcl\bdump\norcl_reco_2688.trc:
ORA-00604: error occurred at recursive SQL level 

Sun Jan 12 22:35:12 2025
Errors in file d:\oracle\product\10.2.0.3\admin\orcl\bdump\norcl_smon_2332.trc:
ORA-00604: error occurred at recursive SQL level 

Sun Jan 12 22:35:12 2025
Errors in file d:\oracle\product\10.2.0.3\admin\orcl\bdump\norcl_ckpt_2600.trc:
ORA-00604: error occurred at recursive SQL level 

Sun Jan 12 22:35:12 2025
Errors in file d:\oracle\product\10.2.0.3\admin\orcl\bdump\norcl_lgwr_2672.trc:
ORA-00604: error occurred at recursive SQL level 

Sun Jan 12 22:35:12 2025
Errors in file d:\oracle\product\10.2.0.3\admin\orcl\bdump\norcl_dbw0_1344.trc:
ORA-00604: error occurred at recursive SQL level 

Sun Jan 12 22:35:12 2025
Errors in file d:\oracle\product\10.2.0.3\admin\orcl\bdump\norcl_mman_2828.trc:
ORA-00604: error occurred at recursive SQL level 

Sun Jan 12 22:35:12 2025
Errors in file d:\oracle\product\10.2.0.3\admin\orcl\bdump\norcl_psp0_2324.trc:
ORA-00604: error occurred at recursive SQL level 

Instance terminated by USER, pid = 2796
ORA-1092 signalled during: ALTER DATABASE OPEN...

通过分析trace,确认是系统回滚段的free block pool异常,使用bbed进行修复

BBED> clean free_block_pool
Clean free block pool completed.you can use dump to verify the data, then can us
e sum apply command to save data.
BBED> sum apply

Warning: apply the modified data will overwrite original data.
Would you like to continue? (y/n)
y

Old checksum value: 0xf2c0
New checksum value: 0xf315
Writing block has completed

BBED>

open数据库成功,然后安排导出数据即可
QQ20250113-222649

对于类似这种被加密的勒索的数据文件,我们可以实现比较好的恢复效果,如果此类的数据库(oracle,mysql,sql server)等被加密,需要专业恢复技术支持,请联系我们:
电话/微信:17813235971    Q Q:107644445QQ咨询惜分飞    E-Mail:dba@xifenfei.com
系统安全防护措施建议:
1.多台机器,不要使用相同的账号和口令
2.登录口令要有足够的长度和复杂性,并定期更换登录口令
3.重要资料的共享文件夹应设置访问权限控制,并进行定期备份
4.定期检测系统和软件中的安全漏洞,及时打上补丁。
5.定期到服务器检查是否存在异常。
6.安装安全防护软件,并确保其正常运行。
7.从正规渠道下载安装软件。
8.对不熟悉的软件,如果已经被杀毒软件拦截查杀,不要添加信任继续运行。
9.保存良好的备份习惯,尽量做到每日备份,异地备份。

发表在 勒索恢复 | 标签为 , , , , , , | 评论关闭

[back2023@proxy.tg].eking勒索数据库恢复

发表于 2022 年 4 月 7 日 惜分飞

有客户文件系统被勒索加密,被加密扩展名为.id[F494A52E-3009].[back2023@proxy.tg].eking
20220407141052

通过分析损坏情况,确认每个文件被加密破坏192个block
20220407141224
通过自研的数据库恢复工具对于损坏的数据进行修复
20220406134615
实现数据库直接open,并顺利导出数据,实现业务完美恢复
20220406190629
对于类似这种被加密的勒索的数据文件,我们可以实现比较好的恢复效果,如果此类的数据库(oracle,mysql,sql server)等被加密,需要专业恢复技术支持,请联系我们:
电话/微信:17813235971    Q Q:107644445QQ咨询惜分飞    E-Mail:dba@xifenfei.com
系统安全防护措施建议:
1.多台机器,不要使用相同的账号和口令
2.登录口令要有足够的长度和复杂性,并定期更换登录口令
3.重要资料的共享文件夹应设置访问权限控制,并进行定期备份
4.定期检测系统和软件中的安全漏洞,及时打上补丁。
5.定期到服务器检查是否存在异常。
6.安装安全防护软件,并确保其正常运行。
7.从正规渠道下载安装软件。
8.对不熟悉的软件,如果已经被杀毒软件拦截查杀,不要添加信任继续运行。
9.保存良好的备份习惯,尽量做到每日备份,异地备份。

发表在 勒索恢复 | 标签为 , , , , | 评论关闭

.makop加密数据库恢复

发表于 2021 年 11 月 24 日 惜分飞

接到一起sql server数据库被勒索病毒加密恢复请求
20211124162221

通过分析,数据库加密损坏部分较少,可以对其进行恢复
20211124163701
通过技术处理,表数据正常恢复
20211124164656
如果此类的数据库(oracle,mysql,sql server)等被加密,需要专业恢复技术支持,请联系我们:
电话/微信:17813235971    Q Q:107644445QQ咨询惜分飞    E-Mail:dba@xifenfei.com

发表在 勒索恢复 | 标签为 , , , , , | 评论关闭