.faust加密勒索数据库恢复

Posted on 2023 年 07 月 25 日 by 惜分飞

联系：手机/微信(+86 17813235971) QQ(107644445)

标题：.faust加密勒索数据库恢复

有客户的win服务器被勒索病毒加密,里面运行有用友系统的Oracle数据库，加密提示为（camry2020@aol.com）：

加密的数据文件类似（.DBF.id[0E564ACA-3493].[camry2020@aol.com].faust）:

通过工具检测发现少量block被加密破坏

对于这种级别的损坏,可以通过我开发的Oracle数据文件勒索加密恢复工具直接重构文件头

然后直接open数据库,并且导出数据,实现数据库非常完美的恢复(这个是目前除直接解密之外最好的恢复效果,没有之一)

对于类似这种被加密的勒索的数据文件,我们可以实现比较好的恢复效果,如果此类的数据库(oracle,mysql,sql server)等被加密,需要专业恢复技术支持，请联系我们:
电话/微信:17813235971 Q Q:107644445 E-Mail:dba@xifenfei.com
系统安全防护措施建议：
1.多台机器，不要使用相同的账号和口令
2.登录口令要有足够的长度和复杂性，并定期更换登录口令
3.重要资料的共享文件夹应设置访问权限控制，并进行定期备份
4.定期检测系统和软件中的安全漏洞，及时打上补丁。
5.定期到服务器检查是否存在异常。
6.安装安全防护软件，并确保其正常运行。
7.从正规渠道下载安装软件。
8.对不熟悉的软件，如果已经被杀毒软件拦截查杀，不要添加信任继续运行。
9.保存良好的备份习惯，尽量做到每日备份，异地备份。

Assistant: Download Reference for Oracle Database/GI PSU, SPU(CPU), Bundle Patches, Patchsets and Base Releases-202307

Posted on 2023 年 07 月 19 日 by 惜分飞

联系：手机/微信(+86 17813235971) QQ(107644445)

标题：Assistant: Download Reference for Oracle Database/GI PSU, SPU(CPU), Bundle Patches, Patchsets and Base Releases-202307

由于19c之前版本的patch,oracle在标准补丁中,已经不再提供,这里主要列举19c/21c相关主要patch

21.0.0.0 RUs
Description	Database Update	GI Update	Windows Bundle Patch
JUL2023 (21.11.0.0.0)	35428978	35427907	35347974
APR2023 (21.10.0.0.0)	35134934	35132566	35046488
JAN2023 (21.9.0.0.0)	34839741	34838415	34750812
Oct2022 (21.8.0.0.0)	34527084	34526142	34468137
JUL2022 (21.7.0.0.0)	34160444	34155589	34110698
APR2022 (21.6.0.0.0)	33843745	33859395	33829143
JAN2022 (21.5.0.0.0)	33516412	33531909	33589769
OCT2021 (21.4.0.0.0)	33239276	33250101	NA

19.0.0.0 RUs
Description	Database Update	GI Update	Windows Bundle Patch
JUL2023 (19.20.0.0.0)	35320081	35332145	35348034
APR2023 (19.19.0.0.0)	35042068	35037840	35046439
JAN2023 (19.18.0.0.0)	34765931	34762026	34750795
Oct2022 (19.17.0.0.0)	34419443	34416665	34468114
JUL2022 (19.16.0.0.0)	34133642	34130714	34110685
APR2022 (19.15.0.0.0)	33806152	33803476	33829175
JAN2022 (19.14.0.0.0)	33515361	33509923	33575656
OCT2021(19.13.0.0.0)	33192793	33182768	33155330
JUL2021 (19.12.0.0.0)	32904851	32895426	32832237
APR2021 (19.11.0.0.0)	32545013	32545008	32409154
JAN2021 (19.10.0.0.0)	32218454	32226239	32062765
OCT2020 (19.9.0.0.0)	31771877	31750108	31719903
JUL2020 (19.8.0.0.0)	31281355	31305339	31247621
APR2020 (19.7.0.0.0)	30869156	30899722	30901317
JAN2020 (19.6.0.0.0)	30557433	30501910	30445947
OCT2019 (19.5.0.0.0)	30125133	30116789	30151705
JUL2019 (19.4.0.0.0)	29834717	29708769	NA
APR2019 (19.3.0.0.0)	29517242	29517302	NA

19.0.0.0 OJVM
Description	OJVM Update	OJVM + DB Update	OJVM + GI Update
JUL2023 (19.20.0.0.230718)	35354406	35370174	35370167
APR2023 (19.19.0.0.230418)	35050341	35058163	35058172
JAN2023 (19.18.0.0.230117)	34786990	34773489	34773504
OCT2022 (19.17.0.0.221018)	34411846	34449114	34449117
JUL2022 (19.16.0.0.220719)	34086870	34160831	34160854
APR2022 (19.15.0.0.220419)	33808367	33859194	33859214
JAN2022 (19.14.0.0.220118)	33561310	33567270	33567274
OCT2021 (19.13.0.0.211019)	33192694	33248420	33248471
JUL2021 (19.12.0.0.210720)	32876380	32900021	32900083
APR2021 (19.11.0.0.210420)	32399816	32578972	32578973
JAN2021 (19.10.0.0.210119)	32067171	32126828	32126842
OCT2020 (19.9.0.0.201020)	31668882	31720396	31720429
JUL2020 (19.8.0.0.200714)	31219897	31326362	31326369
APR2020 (19.7.0.0.200414)	30805684	30783543	30783556
JAN2020 (19.6.0.0.200114)	30484981	30463595	30463609
OCT2019 (19.5.0.0.191015)	30128191	30133124	30133178
JUL2019 (19.4.0.0.190716)	29774421	29699079	29699097
APR2019 (19.3.0.0.190416)	29548437	29621253	29621299

19.0.0.0 MRPs
Description	DBMRP	GIMRP
19.19.0.0.230718	35573556	35573568
19.18.0.0.230620	35449858	35449877
19.18.0.0.230516	35333818	35333842

19.18.0.0 MRPs
Description	DBMRP	GIMRP
19.18.0.0.230718	35573556	35573568
19.18.0.0.230620	35449858	35449877
19.18.0.0.230516	35333818	35333842

参考:Assistant: Download Reference for Oracle Database/GI Update, Revision, PSU, SPU(CPU), Bundle Patches, Patchsets and Base Releases (Doc ID 2118136.2)

ORA-01122 ORA-01208 故障处理

Posted on 2023 年 07 月 15 日 by 惜分飞

联系：手机/微信(+86 17813235971) QQ(107644445)

标题：ORA-01122 ORA-01208 故障处理

数据库突然故障ORA-01122 ORA-01208,导致实例crash

Tue Jul 11 09:06:43 2023
Thread 1 cannot allocate new log, sequence 254989
Private strand flush not complete
  Current log# 3 seq# 254988 mem# 0: E:\APP\ADMINISTRATOR\ORADATA\xff\REDO03.LOG
Thread 1 advanced to log sequence 254989 (LGWR switch)
  Current log# 1 seq# 254989 mem# 0: E:\APP\ADMINISTRATOR\ORADATA\xff\REDO01.LOG
Tue Jul 11 09:09:46 2023
Read of datafile 'E:\APP\ADMINISTRATOR\ORADATA\xff\SYSTEM01.DBF' (fno 1) header failed with ORA-01208
Rereading datafile 1 header found valid data
Repaired corruption in datafile 1 header
Read of datafile 'E:\APP\ADMINISTRATOR\ORADATA\xff\SYSAUX01.DBF' (fno 2) header failed with ORA-01208
Rereading datafile 2 header found valid data
Repaired corruption in datafile 2 header
Read of datafile 'E:\APP\ADMINISTRATOR\ORADATA\xff\UNDOTBS01.DBF' (fno 3) header failed with ORA-01208
Rereading datafile 3 header failed with ORA-01208
Errors in file E:\APP\ADMINISTRATOR\diag\rdbms\xff\xff\trace\xff_ckpt_5820.trc:
ORA-01242: data file suffered media failure: database in NOARCHIVELOG mode
ORA-01122: database file 3 failed verification check
ORA-01110: data file 3: 'E:\APP\ADMINISTRATOR\ORADATA\xff\UNDOTBS01.DBF'
ORA-01208: data file is an old version - not accessing current version
Errors in file E:\APP\ADMINISTRATOR\diag\rdbms\xff\xff\trace\xff_ckpt_5820.trc:
ORA-01242: data file suffered media failure: database in NOARCHIVELOG mode
ORA-01122: database file 3 failed verification check
ORA-01110: data file 3: 'E:\APP\ADMINISTRATOR\ORADATA\xff\UNDOTBS01.DBF'
ORA-01208: data file is an old version - not accessing current version
CKPT (ospid: 5820): terminating the instance due to error 1242
…………
Tue Jul 11 09:10:10 2023
Instance terminated by CKPT, pid = 5820
Tue Jul 11 09:18:32 2023

重启实例无法open

Tue Jul 11 09:18:41 2023
alter database mount exclusive
Successful mount of redo thread 1, with mount id 1485684209
Database mounted in Exclusive Mode
Lost write protection disabled
Completed: alter database mount exclusive
alter database open
Errors in file E:\APP\ADMINISTRATOR\diag\rdbms\xff\xff\trace\xff_ora_406776.trc:
ORA-01113: file 3 needs media recovery
ORA-01110: data file 3: 'E:\APP\ADMINISTRATOR\ORADATA\xff\UNDOTBS01.DBF'
ORA-1113 signalled during: alter database open...

通过Oracle Database Recovery Check工具分析
20230715200500

确认数据库恢复需要sequence为254986的日志,但是数据库为非归档模式,redo已经被覆盖,因此常规方法无法正常open库,通过Oracle Recovery Tools工具快速修改文件头实现数据库文件头一致,open数据库成功
20230417230141

硬件故障恢复出文件之后数据库故障处理

Posted on 2023 年 07 月 13 日 by 惜分飞

联系：手机/微信(+86 17813235971) QQ(107644445)

标题：硬件故障恢复出文件之后数据库故障处理

客户那边硬件故障(raid损坏磁盘超过了极限,导致raid offline),通过硬件恢复出来数据文件,然后尝试自行恢复,我接手的时候大量数据文件resetlogs scn异常.

重建控制文件报错

WARNING: Default Temporary Tablespace not specified in CREATE DATABASE command
Default Temporary Tablespace will be necessary for a locally managed database in future release
Errors in file /home/oracle/app/diag/rdbms/orcl/orcl/trace/orcl_ora_5949.trc:
ORA-01189: file is from a different RESETLOGS than previous files
ORA-01110: data file 153: '/home/oracle/oracledata/orcl/sysaux02.dbf'
ORA-1503 signalled during: CREATE CONTROLFILE REUSE DATABASE "ORCL" NORESETLOGS  ARCHIVELOG

通过修改文件头然后重建控制文件,可以通过bbed,或者我的小工具Oracle Recovery Tools
bbed解决ORA-01190
Oracle Recovery Tools 解决ORA-01190 ORA-01248等故障
 重建control遗漏数据文件,reseltogs报ORA-1555错误处理
然后继续重建ctl发现以下错误

WARNING: Default Temporary Tablespace not specified in CREATE DATABASE command
Default Temporary Tablespace will be necessary for a locally managed database in future release
Errors in file /home/oracle/app/diag/rdbms/orcl/orcl/trace/orcl_ora_34075.trc:
ORA-01200: actual file size of 2015415 is smaller than correct size of 2944000 blocks
ORA-01110: data file 178: '/home/oracle/oracledata/orcl/xifenfei20_10.dbf'
ORA-1503 signalled during: CREATE CONTROLFILE REUSE DATABASE "ORCL" NORESETLOGS  NOARCHIVELOG

通过对比发现是由于客户上传恢复文件异常导致

重新上传文件,然后修改文件头,该问题解决,重建ctl成功,提个醒:对于这种硬件恢复之后文件上次到服务器上进行恢复的,一定要确认上传文件和原文件一致,不然做无用功或者恢复效果差很多
尝试open数据库报ORA-600 2662错误

SQL> alter database open resetlogs;
alter database open resetlogs
*
ERROR at line 1:
ORA-00603: ORACLE server session terminated by fatal error
ORA-00600: internal error code, arguments: [2662], [5], [1653389530], [5],
[1653496702], [12583040], [], [], [], [], [], []
ORA-00600: internal error code, arguments: [2662], [5], [1653389529], [5],
[1653496702], [12583040], [], [], [], [], [], []
ORA-01092: ORACLE instance terminated. Disconnection forced
ORA-00600: internal error code, arguments: [2662], [5], [1653389527], [5],
[1653496702], [12583040], [], [], [], [], [], []
Process ID: 4710
Session ID: 1847 Serial number: 3

这个错误比较简单,一般是scn问题，有过大量的处理经验案例:
使用bbed解决ORA-00600[2662]
硬件故障导致ORA-600 2662错误处理
 Patch SCN工具快速解决ORA-600 2662问题
解决好该问题之后,数据库open成功,实现了最大限度抢救数据.

dul支持arm版本Oracle数据库恢复

Posted on 2023 年 07 月 09 日 by 惜分飞

联系：手机/微信(+86 17813235971) QQ(107644445)

标题：dul支持arm版本Oracle数据库恢复

确认数据库名字,DBID,运行在ARM平台

SQL> select name,dbid,PLATFORM_ID,PLATFORM_NAME from v$database;

NAME            DBID PLATFORM_ID
--------- ---------- -----------
PLATFORM_NAME
--------------------------------------------------------------------------------
ARMDB     1195886419          23
Linux OS (AARCH64)

dul恢复ARM平台数据库
[oracle@xifenfei dul]$ ./dul

Data UnLoader: 12.2.0.2.5 - Internal Only - on Sun Jul  9 22:05:51 2023
with 64-bit io functions and the decompression option

Copyright (c) 1994 2023 Bernard van Duijnen All rights reserved.

 Strictly Oracle Internal Use Only


DUL: Warning: ulimit process stack size is only 33554432
Found db_id = 1195886419
Found db_name = ARMDB
DUL> bootstrap;
Probing file = 1, block = 520
. unloading table                BOOTSTRAP$
DUL: Warning: block number is non zero but marked deferred trying to process it anyhow
      60 rows unloaded
Reading BOOTSTRAP.dat 60 entries loaded
Parsing Bootstrap$ contents
Generating dict.ddl for version 12
 OBJ$: segobjno 18, file 1 block 240
 TAB$: segobjno 2, tabno 1, file 1  block 144
 COL$: segobjno 2, tabno 5, file 1  block 144
 USER$: segobjno 10, tabno 1, file 1  block 208
Running generated file "@dict.ddl" to unload the dictionary tables
. unloading table                      OBJ$   23092 rows unloaded
. unloading table                      TAB$    1794 rows unloaded
. unloading table                      COL$  118438 rows unloaded
. unloading table                     USER$      85 rows unloaded
Reading USER.dat 85 entries loaded
Reading OBJ.dat 23092 entries loaded and sorted 23092 entries
Reading TAB.dat 1794 entries loaded
Reading COL.dat 118438 entries loaded and sorted 118438 entries
Reading BOOTSTRAP.dat 60 entries loaded

DUL: Warning: Recreating file "dict.ddl"
Generating dict.ddl for version 12
 OBJ$: segobjno 18, file 1 block 240
 TAB$: segobjno 2, tabno 1, file 1  block 144
 COL$: segobjno 2, tabno 5, file 1  block 144
 USER$: segobjno 10, tabno 1, file 1  block 208
 TABPART$: segobjno 822, file 1 block 5496
 INDPART$: segobjno 827, file 1 block 5536
 TABCOMPART$: segobjno 844, file 1 block 5672
 INDCOMPART$: segobjno 849, file 1 block 5712
 TABSUBPART$: segobjno 834, file 1 block 5592
 INDSUBPART$: segobjno 839, file 1 block 5632
 IND$: segobjno 2, tabno 3, file 1  block 144
 ICOL$: segobjno 2, tabno 4, file 1  block 144
 LOB$: segobjno 2, tabno 6, file 1  block 144
 COLTYPE$: segobjno 2, tabno 7, file 1  block 144
 TYPE$: segobjno 748, tabno 1, file 1  block 4960
 COLLECTION$: segobjno 748, tabno 2, file 1  block 4960
 ATTRIBUTE$: segobjno 748, tabno 3, file 1  block 4960
 LOBFRAG$: segobjno 855, file 1 block 5768
 LOBCOMPPART$: segobjno 858, file 1 block 5792
 UNDO$: segobjno 15, file 1 block 224
 TS$: segobjno 6, tabno 2, file 1  block 176
 PROPS$: segobjno 127, file 1 block 1320
Running generated file "@dict.ddl" to unload the dictionary tables
. unloading table                      OBJ$
DUL: Warning: Recreating file "OBJ.ctl"
   23092 rows unloaded
. unloading table                      TAB$
DUL: Warning: Recreating file "TAB.ctl"
    1794 rows unloaded
. unloading table                      COL$
DUL: Warning: Recreating file "COL.ctl"
  118438 rows unloaded
. unloading table                     USER$
DUL: Warning: Recreating file "USER.ctl"
      85 rows unloaded
. unloading table                  TABPART$     320 rows unloaded
. unloading table                  INDPART$     186 rows unloaded
. unloading table               TABCOMPART$       1 row  unloaded
. unloading table               INDCOMPART$       0 rows unloaded
. unloading table               TABSUBPART$      32 rows unloaded
. unloading table               INDSUBPART$       0 rows unloaded
. unloading table                      IND$    2273 rows unloaded
. unloading table                     ICOL$    4155 rows unloaded
. unloading table                      LOB$     566 rows unloaded
. unloading table                  COLTYPE$    2794 rows unloaded
. unloading table                     TYPE$    4381 rows unloaded
. unloading table               COLLECTION$     983 rows unloaded
. unloading table                ATTRIBUTE$   11584 rows unloaded
. unloading table                  LOBFRAG$       8 rows unloaded
. unloading table              LOBCOMPPART$       0 rows unloaded
. unloading table                     UNDO$      11 rows unloaded
. unloading table                       TS$       5 rows unloaded
. unloading table                    PROPS$      39 rows unloaded
Reading USER.dat 85 entries loaded
Reading OBJ.dat 23092 entries loaded and sorted 23092 entries
Reading TAB.dat 1794 entries loaded
Reading COL.dat 118438 entries loaded and sorted 118438 entries
Reading TABPART.dat 320 entries loaded and sorted 320 entries
Reading TABCOMPART.dat 1 entries loaded and sorted 1 entries
Reading TABSUBPART.dat 32 entries loaded and sorted 32 entries
Reading INDPART.dat 186 entries loaded and sorted 186 entries
Reading INDCOMPART.dat 0 entries loaded and sorted 0 entries
Reading INDSUBPART.dat 0 entries loaded and sorted 0 entries
Reading IND.dat 2273 entries loaded
Reading LOB.dat 566 entries loaded
Reading ICOL.dat 4155 entries loaded
Reading COLTYPE.dat 2794 entries loaded
Reading TYPE.dat
DUL: Notice: Increased the size of DC_TYPES from 4096 to 32768 entries
 4381 entries loaded
Reading ATTRIBUTE.dat 11584 entries loaded
Reading COLLECTION.dat 983 entries loaded
Reading BOOTSTRAP.dat 60 entries loaded
Reading LOBFRAG.dat 8 entries loaded and sorted 8 entries
Reading LOBCOMPPART.dat 0 entries loaded and sorted 0 entries
Reading UNDO.dat 11 entries loaded
Reading TS.dat 5 entries loaded
Reading PROPS.dat 39 entries loaded
Database character set is AL32UTF8
Database national character set is AL16UTF16
DUL> unload table sys.obj$;
. unloading table                      OBJ$   23092 rows unloaded
DUL>

通过上述测试,证明dul支持arm版本Oracle数据库恢复