Oracle dmp Encryption Recovery

An oracle dmp file is encrypted and damaged.The encryption prompt is as follows
20200306192501


20200306191213


Analysis of the tool found that the first 1M of the file was damaged
20200306191553


Special processing of 1M data with head damage through our tool, data is imported directly using imp command
20200306191709
If you have various databases (oracle, sql server, mysql) encrypted by similar viruses, we can provide professional recovery support to achieve almost perfect recovery of data without paying hackers
E-Mail:chf.dba@gmail.comProvide professional recovery services.

Oracle datafile size is 0kb or file loss recovery

After receiving a friend’s recovery request, some data files in the file system changed to 0kb and the file was lost due to frequent switching of rose.
Failure phenomenon
Some data files changed to 0kb and files were lost.
file_lost
file_size_0


It is obvious here that users03 of the database has become 0kb and users04 are lost. The error message of the database alert log is as follows:

Completed: alter database mount exclusive
alter database open
Errors in file E:\APP\ADMINISTRATOR\diag\rdbms\orcl\orcl\trace\orcl_dbw0_12008.trc:
ORA-01157: ????/?????? 7 - ??? DBWR ????
ORA-01110: ???? 7: 'E:\APP\ADMINISTRATOR\ORADATA\ORCL\USERS03.DBF'
ORA-27047: ??????????
OSD-04006: ReadFile() 失败, 无法读取文件
O/S-Error: (OS 38) 已到文件结尾。
Errors in file E:\APP\ADMINISTRATOR\diag\rdbms\orcl\orcl\trace\orcl_dbw0_12008.trc:
ORA-01157: ????/?????? 8 - ??? DBWR ????
ORA-01110: ???? 8: 'E:\APP\ADMINISTRATOR\ORADATA\ORCL\USERS04.DBF'
ORA-27041: ??????
OSD-04002: 无法打开文件
O/S-Error: (OS 2) 系统找不到指定的文件。
Errors in file E:\APP\ADMINISTRATOR\diag\rdbms\orcl\orcl\trace\orcl_ora_12040.trc:
ORA-01157: ????/?????? 7 - ??? DBWR ????
ORA-01110: ???? 7: 'E:\APP\ADMINISTRATOR\ORADATA\ORCL\USERS03.DBF'
ORA-1157 signalled during: alter database open...
Fri May 04 09:35:10 2018
Checker run found 2 new persistent data failures

The error of the alert log is also obvious. Users03 is the file exceeds the size (the size is 0kb, it must exceed the size after reading), users04 indicates that the file cannot be opened (the file has been lost at the file system level). Now the problem is more obvious due to file system failure Causes file size to be 0 and missing

Fragment Scan Recovery
The conventional method is definitely unable to recover. The better method can only be the scanning and reorganization of the underlying fragment. Combined with a variety of scanning tools, I finally found that a friend who does the underlying recovery works well. The scan results are as follows
file_scan


Analysis of bad blocks by tools

C:\Users\Administrator>dbv FiLe=D:\0504\ORCL_TS.4_FILE.7_10.ora

DBVERIFY: Release 11.2.0.4.0 - Production on 星期六 5月 5 08:52:53 2018

Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.

DBVERIFY - 开始验证: FILE = D:\0504\ORCL_TS.4_FILE.7_10.ora

………………

页 382565 标记为损坏
Corrupt block relative dba: 0x01c5d665 (file 7, block 382565)
Completely zero block found during dbv:

页 382566 标记为损坏
Corrupt block relative dba: 0x01c5d666 (file 7, block 382566)
Completely zero block found during dbv:

页 382567 标记为损坏
Corrupt block relative dba: 0x01c5d667 (file 7, block 382567)
Completely zero block found during dbv:



DBVERIFY - 验证完成

检查的页总数: 1374720
处理的页总数 (数据): 27582
失败的页总数 (数据): 0
处理的页总数 (索引): 20114
失败的页总数 (索引): 0
处理的页总数 (其他): 1319752
处理的总页数 (段)  : 0
失败的总页数 (段)  : 0
空的页总数: 1
标记为损坏的总页数: 7271
流入的页总数: 0
加密的总页数        : 0
最高块 SCN            : 228271996 (0.228271996)


C:\Users\Administrator>dbv FiLe=D:\0504\ORCL_TS.4_FILE.8_8.ora

DBVERIFY: Release 11.2.0.4.0 - Production on 星期六 5月 5 08:52:53 2018

Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.

DBVERIFY - 开始验证: FILE = D:\0504\ORCL_TS.4_FILE.8_8.ora


DBVERIFY - 验证完成

检查的页总数: 1136896
处理的页总数 (数据): 36639
失败的页总数 (数据): 0
处理的页总数 (索引): 57038
失败的页总数 (索引): 0
处理的页总数 (其他): 1043218
处理的总页数 (段)  : 0
失败的总页数 (段)  : 0
空的页总数: 1
标记为损坏的总页数: 0
流入的页总数: 0
加密的总页数        : 0
最高块 SCN            : 228271997 (0.228271997)

C:\Users\Administrator>

scan_resulte


Here, the total number of blocks of the two files recovered by analysis is 2511618, of which 7271 blocks are continuously damaged. After the problem occurs, the database is offline and these two files continue to run for several hours, causing a small number of blocks to be overwritten. Leave it blank. The subsequent recovery is relatively smooth, and the database is normally opened, and then the bad block object is processed (it is not the lob field of the business core table, and the loss of all parts is not very significant).

Reminder:
1. Data files and backups should not be placed on the same array, let alone on the same partition (volume)
2. After such a problem occurs, you should understand that any write operation to the partition is stopped, the method is lost, or the 0KB file is overwritten.
If you need professional ORACLE database recovery technical support, please contact usE-Mail:chf.dba@gmail.com

.horseleader encrypted database recovery

Virus-encrypted .horseleader extension file
20200304182923


Through analysis, we only destroyed part of the data, and we can recover most of them
20200304182504
20200304182522


Process through the bottom layer, skip the damaged part and recover the non-corrupted data
20200304182551


For this type of encryption, we can recover the vast majority of data for SQL Server, MySQL, oracle, and realize the recovery of most business data by not paying a ransom to hackers.

SQL Server MDF file size 0kb Recovery

Previously restored the Oracle database dbf file size became 0kb case ( Oracle data file size is 0kb or file loss recovery ), this time I encountered a customer that the mdf file size of the sql server database became 0kb due to the host restart, and the customer himself deleted it The software cannot be recovered normally, we process it through the underlying block of the disk to achieve most of the data recovery (partial data coverage due to some operations of the customer)
This disk partition has multiple mdf files (multiple sql server libraries)
20200303190055
Discover a large number of blocks of the file that are not covered by the underlying block technology
20200303190141
20200303190332
After the mdf file is restored through the block technology, then the table data is restored.
20200303190617


If you encounter a sql server database that causes the mdf file size to become 0kb for some reason, please protect the site as soon as possible and do not perform any write operations. We can recover it to the maximum extent and minimize your loss
If you need to recover, contact us(E-Mail:chf.dba@gmail.com) to provide professional database recovery services

MySQL Ransomware Recovery

Recently encountered several mysql databases that were deleted by hackers and left Bitcoin ransomware in the WARNING table of each library

mysql> desc WARNING
    -> ;
+-----------------+----------+------+-----+---------+-------+
| Field           | Type     | Null | Key | Default | Extra |
+-----------------+----------+------+-----+---------+-------+
| id              | int(11)  | YES  |     | NULL    |       |
| warning         | longtext | YES  |     | NULL    |       |
| Bitcoin_Address | longtext | YES  |     | NULL    |       |
| Email           | longtext | YES  |     | NULL    |       |
+-----------------+----------+------+-----+---------+-------+
4 rows in set (0.00 sec)

mysql> select * from WARNING;
+------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+------------------+
| id   | warning                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Bitcoin_Address                    | Email            |
+------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+------------------+
|    1 | To recover your lost Database and avoid leaking it: Send us 0.06 Bitcoin (BTC) to our Bitcoin address 1BLYhUDmnmVPVjcTWgc6gFT6DCYwbVieUD and contact us by Email with your Server IP or Domain name and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your Database is downloaded and backed up on our servers. Backups that we have right now: xxxx,xxxxxx,xxxxxxxx,xxxxxxx . If we dont receive your payment in the next 10 Days, we will make your database public or use them otherwise. | 1BLYhUDmnmVPVjcTWgc6gFT6DCYwbVieUD | contact@sqldb.to |
+------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+------------------+
1 row in set (0.00 sec)

The general meaning is: We have backed up your database, and you gave us 0.06 bitcoins, and we give you the data. If we do not receive the payment within 10 days, the database will be made public or used for other purposes. The experience of friends we have contacted in the past, the database will not be given to you after payment (most likely the hacker did not back up the database at all, just deleted the database and then extorted Bitcoin.

For such cases, through analysis, it is confirmed that the hacker has deleted the database.In the case of no coverage, we can recover its data.MySQL drop database recovery (the recovery method is also applicable to MySQL drop table, delete, truncate table)Minimize the loss caused by database corruption.
20200303125417
If you also encounter this problem, please protect the site, do not import the backup database, do not write to the partition where the data is located (the better the site protection, the better the data recovery effect), mirror the relevant disk to prevent secondary damage. We can provide professional mysql recovery services to reduce your losses.

.[geerban@email.tg].Devos Encrypted database recovery

A new virus was found to encrypt the Oracle database, with a suffix named:.id[06495F21-2700].[geerban@email.tg].Devos
20200302121209


Through analysis, it was found that the data in the front part of the file was directly blanked.
20200302122026


File intermediate data still exists
20200302122204


Through the underlying analysis for such failures, we can recover the vast majority of data and achieve the vast majority of business data recovery without paying a ransom to hackers.

oracle dul 12 officially released

The oracle official dul tool has finally released version 12, dul 11 is released.:oracle dul 11 officially released

Data UnLoader: 12.0.0.0.5 - Internal Only - on Thu Feb 27 11:27:42 2020
with 64-bit io functions

Copyright (c) 1994 2019 Bernard van Duijnen All rights reserved.

 Strictly Oracle Internal Use Only


Reading USER.dat 87 entries loaded
Reading OBJ.dat 72882 entries loaded and sorted 72882 entries
Reading TAB.dat 2810 entries loaded
Reading COL.dat 90151 entries loaded and sorted 90151 entries
Reading TABPART.dat 107 entries loaded and sorted 107 entries
Reading TABCOMPART.dat 0 entries loaded and sorted 0 entries
Reading TABSUBPART.dat 0 entries loaded and sorted 0 entries
Reading INDPART.dat 124 entries loaded and sorted 124 entries
Reading INDCOMPART.dat 0 entries loaded and sorted 0 entries
Reading INDSUBPART.dat 0 entries loaded and sorted 0 entries
Reading IND.dat 4695 entries loaded
Reading LOB.dat 883 entries loaded
Reading ICOL.dat 7430 entries loaded
Reading COLTYPE.dat 2203 entries loaded
Reading TYPE.dat 2779 entries loaded
Reading ATTRIBUTE.dat 10852 entries loaded
Reading COLLECTION.dat 960 entries loaded
Reading BOOTSTRAP.dat 60 entries loaded
Reading LOBFRAG.dat 1 entries loaded and sorted 1 entries
Reading LOBCOMPPART.dat 0 entries loaded and sorted 0 entries
Reading UNDO.dat 21 entries loaded
Reading TS.dat 11 entries loaded
Reading PROPS.dat 36 entries loaded
Database character set is ZHS16GBK
Database national character set is AL16UTF16
Found db_id = 3861844098
Found db_name = O11201GB
DUL>
  2  show datafiles;
ts# rf# start   blocks offs open  err file name
  0   1     0   103681    0    1    0 D:\app\XIFENFEI\oradata\o11201gbk/system01.dbf
DUL>

From the perspective of the Compatible parameters, it directly supports the Oracle 18 version, and the specific subsequent tests
20200227113302


.ROGER virus encrypted database recovery

Recently, a new encryption virus was found, with the suffix: .id-CC46A224.[Wang.chang888@tutanota.com].ROGER. The encryption prompt is similar:
ROGER-virus-new-ransom-note-image


Analyze the file and find that the virus emptied the file header
20200224173730


Analysis found that most of the location business data in the file still exists
20200224174433


Through the underlying analysis, such failures can achieve the vast majority of data recovery
20200224174803


If you encounter a database that is similar to an encryption virus and encrypted (oracle, mysql, sql server), you can contact us to achieve a better recovery effect without paying the hacker (the recovery is not successful without any fees)
E-Mail:chf.dba@gmail.comProvide professional decryption recovery services.
Protection recommendations:
1. Multiple machines, do not use the same account and password
2. The login password should have sufficient length and complexity, and the login password should be changed regularly.
3. The shared folder of important data should be set up with access control and regularly backed up
4. Regularly detect security vulnerabilities in the system and software and apply patches in a timely manner.
5. Periodically go to the server to check if there is any abnormality. View scope includes:
a) Whether there are new accounts
b) Guest is enabled
c) Is there an exception in the Windows system log
d) Is there any abnormal interception of anti-virus software?
6. Install security protection software and ensure its normal operation.
7. Download and install software from regular channels.
8. For unfamiliar software, if it has been intercepted by antivirus software, do not add trust to continue running.

.happychoose encrypted database recovery

Recently, a friend of the SQL server database was encrypted with the suffix: .mdf.happythreechoose, which needs to provide recovery support.
Files left by hackers are similar

ALL YOUR FILES ARE ENCRYPTED!
ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.

To recover data you need decryptor.
To get the decryptor you should:
Send 1 test image or text file happychoose@cock.li or happychoose2@cock.li.
In the letter include YOUR ID (look at the beginning of this document).

We will give you the decrypted file and assign the price for decryption all files
 

After we send you instruction how to pay for decrypt and after payment you will 
receive a decryptor and instructions We can decrypt one file
in quality the evidence that we have the decoder.
Attention!

Only happychoose@cock.li or happychoose2@cock.li can decrypt your files
Do not trust anyone happychoose@cock.li or happychoose2@cock.li
Do not attempt to remove the program or run the anti-virus tools
Attempts to self-decrypting files will result in the loss of your data
Decoders other users are not compatible with your data, 
because each user's unique encryption key

The query found that the virus and .happyfourchoose belong to the GlobeImposter family. Currently, the solution is not supported.密
Through low-level analysis, it was found that mainly the header and tail of the file were confidential.
20200217223408
20200217230214


Scanned data files and found that most of the data can be recovered
20200217222837


If you encounter a database that is similar to an encryption virus and encrypted (oracle, mysql, sql server), you can contact us to achieve a better recovery effect without paying the hacker (the recovery is not successful without any fees)
E-Mail:chf.dba@gmail.comProvide professional decryption recovery services.
Protection recommendations:
1. Multiple machines, do not use the same account and password
2. The login password should have sufficient length and complexity, and the login password should be changed regularly.
3. The shared folder of important data should be set up with access control and regularly backed up
4. Regularly detect security vulnerabilities in the system and software and apply patches in a timely manner.
5. Periodically go to the server to check if there is any abnormality. View scope includes:
a) Whether there are new accounts
b) Guest is enabled
c) Is there an exception in the Windows system log
d) Is there any abnormal interception of anti-virus software?
6. Install security protection software and ensure its normal operation.
7. Download and install software from regular channels.
8. For unfamiliar software, if it has been intercepted by antivirus software, do not add trust to continue running.

.chch encrypted database recovery

Recently, the database was encrypted by the .chch virus. Through analysis, such viruses can be better recovered through the database level.
20191205192145
Through the recovery process, a better data recovery effect is achieved as follows
20191205191902


If you have such an encrypted scenario database (sql server, oracle, mysql), you can contact us