勒索解密后oracle无法启动故障处理----惜分飞

惜分飞2023-12-04 2:04

客户linux平台被勒索病毒加密,其中有oracle数据库.客户联系黑客进行解密【勒索解密oracle失败】,但是数据库无法正常启动,dbv检查数据库文件报错

|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [oracle@hisdb ~]$ dbv ``file``=system01.dbf DBVERIFY: Release 11.2.0.1.0 - Production on 星期一 11月 27 21:49:17 2023 Copyright (c) 1982, 2009, Oracle and``/or its affiliates. All rights reserved. DBV-00107: 未知标头格式 (31) (287942924) |

对应的英文为:DBV-00107: Unknown header format (31) (287942924),检查数据文件信息发现提示为 FILE NOT FOUND,使用脚本为:Oracle数据库异常恢复检查脚本(Oracle Database Recovery Check)检测结果

通过分区确认是文件头损坏

修复正确的文件头

再次dbv检查数据文件

|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [oracle@hisdb ~]$ dbv ``file``=system01.dbf DBVERIFY: Release 11.2.0.1.0 - Production on 星期一 11月 27 22:05:41 2023 Copyright (c) 1982, 2009, Oracle and``/or its affiliates. All rights reserved. DBVERIFY - 开始验证: FILE = ``/u01/app/oracle/oradata/system01``.dbf 页 12800 标记为损坏 Corrupt block relative dba: 0x00403200 (``file 1, block 12800) Bad header found during dbv: Data ``in bad block: ``type``: 88 ``format``: 1 rdba: 0x33877808 ``last change scn: 0x257a.7b3a44e3 ``seq``: 0xe8 flg: 0xe6 ``spare1: 0x4e spare2: 0x73 spare3: 0x0 ``consistency value ``in tail``: 0x65251001 ``check value ``in block header: 0xc3b4 ``computed block checksum: 0x4ca7 DBVERIFY - 验证完成 检查的页总数: 13440 处理的页总数 (数据): 3297 失败的页总数 (数据): 0 处理的页总数 (索引): 2097 失败的页总数 (索引): 0 处理的页总数 (其他): 1441 处理的总页数 (段) : 1 失败的总页数 (段) : 0 空的页总数: 6604 标记为损坏的总页数: 1 流入的页总数: 0 加密的总页数 : 0 最高块 SCN : 1667927064 (12.1667927064) |

修复其他文件头,并dbv检查,发现均在12800位置损坏.尝试recover database恢复数据库,报ORA-00742 ORA-00312之类错误.

|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Sat Nov 25 17:03:39 2023 ALTER DATABASE RECOVER database Media Recovery Start ``started logmerger process Parallel Media Recovery started with 40 slaves Sat Nov 25 17:03:40 2023 Recovery of Online Redo Log: Thread 1 Group 7 Seq 27220 Reading mem 0 ``Mem``# 0: /u01/app/oracle/oradata/redo07.log Sat Nov 25 17:03:41 2023 Hex dump of (``file 3, block 7) ``in trace ``file /u01/app/oracle/diag/rdbms/his/his/trace/his_pr0l_52669``.trc Corrupt block relative dba: 0x00c00007 (``file 3, block 7) Bad header found during media recovery Data ``in bad block: ``type``: 124 ``format``: 7 rdba: 0x1698b845 ``last change scn: 0x4fa1.3eaa638f ``seq``: 0x6 flg: 0x24 ``spare1: 0x26 spare2: 0x42 spare3: 0x0 ``consistency value ``in tail``: 0xa39e1e01 ``check value ``in block header: 0x2ca4 ``computed block checksum: 0x3b25 Reading datafile ``'/u01/app/oracle/oradata/undotbs01.dbf' for corruption at rdba: 0x00c00007 (``file 3, block 7) Reread (``file 3, block 7) found same corrupt data (no logical check) Sat Nov 25 17:03:41 2023 Hex dump of (``file 46, block 3) ``in trace ``file /u01/app/oracle/diag/rdbms/his/his/trace/his_pr0w_52691``.trc Corrupt block relative dba: 0x0b800003 (``file 46, block 3) Bad header found during media recovery Data ``in bad block: ``type``: 7 ``format``: 7 rdba: 0x77922022 ``last change scn: 0xdff3.c40df5b6 ``seq``: 0x6f flg: 0xe5 ``spare1: 0xcd spare2: 0x6d spare3: 0x83d7 ``consistency value ``in tail``: 0x63c63d2c ``check value ``in block header: 0xf662 ``computed block checksum: 0xec49 Data ``in bad block: ``type``: 135 ``format``: 4 rdba: 0x45ad2864 ``last change scn: 0x9d7e.34949c73 ``seq``: 0x32 flg: 0x3e ``spare1: 0x89 spare2: 0x0 spare3: 0x9f9f ``consistency value ``in tail``: 0xa5807800 ``check value ``in block header: 0xb2c9 ``computed block checksum: 0x3aea Reread (``file 5, block 11259) found same corrupt data (no logical check) ``type``: 214 ``format``: 1 rdba: 0x0228dbe9 Bad header found during media recovery ``last change scn: 0xed57.ca4f7559 ``seq``: 0x9b flg: 0x4a Data ``in bad block: ``spare1: 0x97 spare2: 0x77 spare3: 0x2bab ``type``: 33 ``format``: 6 rdba: 0x018d584a ``consistency value ``in tail``: 0x359f90d6 ``last change scn: 0xaeb8.2fa361eb ``seq``: 0x60 flg: 0x92 ``check value ``in block header: 0x6b26 ``spare1: 0xea spare2: 0xe spare3: 0xb405 block checksum disabled Reread (``file 3, block 4) found same corrupt data (no logical check) Corrupt block relative dba: 0x0b800e61 (``file 46, block 3681) Bad header found during media recovery Data ``in bad block: ``type``: 131 ``format``: 6 rdba: 0xc7edd0fc ``last change scn: 0xd319.d0e54941 ``seq``: 0x6f flg: 0x6d ``spare1: 0xe7 spare2: 0x82 spare3: 0x439f ``consistency value ``in tail``: 0x18dc47b6 ``check value ``in block header: 0xe9c8 ``computed block checksum: 0x204d Reread (``file 46, block 3681) found same corrupt data (no logical check) Hex dump of (``file 1, block 2017) ``in trace ``file /u01/app/oracle/diag/rdbms/his/his/trace/his_pr10_52699``.trc Corrupt block relative dba: 0x004007e1 (``file 1, block 2017) Bad header found during media recovery Data ``in bad block: ``type``: 159 ``format``: 2 rdba: 0x52c5b2b0 ``last change scn: 0x2ed8.e0bc5af9 ``seq``: 0x62 flg: 0xe9 ``spare1: 0x81 spare2: 0x1e spare3: 0xda98 ``consistency value ``in tail``: 0xc5753dd3 ``check value ``in block header: 0x2bba ``block checksum disabled Reading datafile ``'/u01/app/oracle/oradata/system01.dbf' for corruption at rdba: 0x004007e1 (``file 1, block 2017) Reread (``file 1, block 2017) found same corrupt data (no logical check) Media Recovery failed with error 742 Errors ``in file /u01/app/oracle/diag/rdbms/his/his/trace/his_pr00_52622``.trc: ORA-00283: recovery session canceled due to errors ORA-00742: Log ``read detects lost write ``in thread %d sequence %d block %d ORA-00312: online log 7 thread 1: ``'/u01/app/oracle/oradata/redo07.log' ORA-10877 signalled during: ALTER DATABASE RECOVER database ... |

尝试强制打开数据库报ORA-600 krsi_al_hdr_update.15,参考:Oracle断电故障处理中有类似报错

|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SQL> ``alter database open resetlogs; alter database open resetlogs * ERROR ``at line 1: ORA-00600: internal error code, arguments: [krsi_al_hdr_update.15], [4294967295], [], [], [], [], [], [], [], [], [], [] |

由于redo问题无法resetlogs成功,解决异常redo,再次尝试open库,由于undo坏块无法open成功

|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SQL> ``alter database open resetlogs; alter database open resetlogs * ERROR ``at line 1: ORA-01092: ORACLE instance terminated. Disconnection forced ORA-01578: ORACLE data block corrupted (file # 3, block # 1848) ORA-01110: data file 3: ``'/u01/app/oracle/oradata/undotbs01.dbf' Process ID: 55655 Session ID: 2623 Serial number: 5 |

解决undo异常,数据库open成功.导出客户需要数据,完成此次恢复工作

热门推荐
0151-2 万字长文,深度解读端到端自动驾驶的挑战和前沿022024年高教社杯数学建模国赛C题超详细解题思路分析03【2024数模国赛赛题思路公开】国赛B题思路丨附可运行代码丨无偿自提04RAG 实践- Ollama+RagFlow 部署本地知识库05【2024高教社杯全国大学生数学建模竞赛】B题 生产过程中的决策问题——解题思路 代码 论文062024 高教社杯 数学建模国赛 (A题)深度剖析|“板凳龙” 闹元宵|数学建模完整代码+建模过程全解全析07Coze扣子平台完整体验和实践(附国内和国际版对比)082024年高教杯国赛(C题)数学建模竞赛解题思路|完整代码论文集合092024 年高教社杯全国大学生数学建模竞赛题目-A 题 “板凳龙” 闹元宵10【SCS-CN】SCS-CN模型中CN值的确定