[20180614]删除bootstrap$記錄無法啟動2.txt
--//前幾天看連結http://www.xifenfei.com/2018/05/willfully-delete-bootstrap.html.
--//按照介紹: 有人在資料庫中注入了惡意腳本,導緻資料庫删除了bootstrap$中資料,關閉之後無法正常啟動delete from bootstrap$;
--//我更多的思考如果我遇到這個問題如何解決:
1.如果有備份隻要恢複到delete bootstrap$之前,但是這裡有問題,因為删除後資料庫還繼續運作.不能繼續應用日志,這樣有恢複到
删除bootstrap$後狀态.
2.如果有備份很好解決,因為bootstrap$的相關塊的資訊不會變動,隻要覆寫對應塊就ok了.
而且實際上隻要oracle版本相同,OS平台一樣,使用别的資料庫的system表空間檔案中對應的塊替換應該一點問題都沒有.
3.當然最笨的方法就是恢複删除的記錄.因為執行删除記錄多,手工恢複感覺還是比較麻煩.
--//我自己也測試看看,示範後2種恢複方法:千萬不要再生産系統做這樣的測試!!
--//今天測試使用bbed的修改方法,前面的參考連結:http://blog.itpub.net/267265/viewspace-2156144/
1.環境:
SCOTT@book> @ ver1
PORT_STRING VERSION BANNER
------------------------------ -------------- --------------------------------------------------------------------------------
x86_64/Linux 2.4.xx 11.2.0.4.0 Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
--//最好備份資料庫略.首先看看bootstrap$占用那些塊.
SCOTT@book> select HEADER_FILE,HEADER_BLOCK,BLOCKS,EXTENTS from dba_segments where owner='SYS' and segment_name='BOOTSTRAP$';
HEADER_FILE HEADER_BLOCK BLOCKS EXTENTS
----------- ------------ ---------- ----------
1 520 8 1
SCOTT@book> column PARTITION_NAME noprint
SCOTT@book> select * from dba_extents where owner='SYS' and segment_name='BOOTSTRAP$';
OWNER SEGMENT_NAME SEGMENT_TYPE TABLESPACE_NAME EXTENT_ID FILE_ID BLOCK_ID BYTES BLOCKS RELATIVE_FNO
------ -------------------- ------------------ ------------------------------ ---------- ---------- ---------- ---------- ---------- ------------
SYS BOOTSTRAP$ TABLE SYSTEM 0 1 520 65536 8 1
--//在system資料檔案頭部也記錄這個位置.通過bbed觀察:
BBED> p dba 1,1 kcvfh.kcvfhrdb
ub4 kcvfhrdb @96 0x00400208
BBED> set dba 0x00400208
DBA 0x00400208 (4194824 1,520)
--//dba= 0x00400208指向的位置就是1,520,也就是sys.BOOTSTRAP$的段頭.
--//做一個sys.bootstrap$的備份:
SCOTT@book> create table bootstrap$bak as select * from sys.bootstrap$;
Table created.
SCOTT@book> select HEADER_FILE,HEADER_BLOCK,BLOCKS,EXTENTS from dba_segments where owner=OWNER and segment_name='BOOTSTRAP$BAK';
4 858 8 1
--//開始破壞....
SYS@book> delete from sys.bootstrap$;
60 rows deleted.
SYS@book> commit ;
Commit complete.
--//實際上這個問題最嚴重的是如果你一直不重新開機,根本不知道這個問題的存在,知道下次重新開機才發現問題,
--//也就是可能備份的檔案一直存在問題的.^_^.
2.重新開機資料庫:
SYS@book> shutdown immediate ;
Database closed.
Database dismounted.
ORACLE instance shut down.
SYS@book> startup
ORACLE instance started.
Total System Global Area 634732544 bytes
Fixed Size 2255792 bytes
Variable Size 197133392 bytes
Database Buffers 427819008 bytes
Redo Buffers 7524352 bytes
Database mounted.
ORA-03113: end-of-file on communication channel
Process ID: 54149
Session ID: 274 Serial number: 3
--//這裡略去分析,參考連結http://blog.itpub.net/267265/viewspace-2156144/
3.通過bbed修複方法一:
--//一種方法就是如果有system檔案備份,并且這部分資訊是ok的,可以借助bbed的copy指令修改就可以很快修複.
--//僅僅簡單介紹:
--//編輯檔案filelist.txt加入:
301 /u01/backup/20170301B/system01.dbf
--//我的bbed參數檔案如下:
$ cat bbed.par
blocksize=8192
listfile=$HOME/bbed/filelist.txt
mode=edit
PASSWORD=blockedit
SPOOL=Y
$ cat cmd.par
set count 64
set width 160
--//執行bbed如下:
$ rlwrap -s 9999 -c -r -i $ORACLE_HOME/bin/bbed parfile=bbed.par cmdfile=cmd.par
BBED> info
File# Name Size(blks)
----- ---- ----------
1 /mnt/ramdisk/book/system01.dbf 0
2 /mnt/ramdisk/book/sysaux01.dbf 0
3 /mnt/ramdisk/book/undotbs01.dbf 0
4 /mnt/ramdisk/book/users01.dbf 0
5 /mnt/ramdisk/book/example01.dbf 0
6 /mnt/ramdisk/book/tea01.dbf 0
7 /mnt/ramdisk/book/sugar01.dbf 0
101 /mnt/ramdisk/book/control01.ctl 0
102 /mnt/ramdisk/book/control02.ctl 0
201 /mnt/ramdisk/book/temp01.dbf 0
206 /home/oracle/backup/tea01.dbf 0
301 /u01/backup/20170301B/system01.dbf 0
BBED> help copy
COPY [ DBA | FILE | FILENAME | BLOCK ] TO [ DBA | FILE | FILENAME | BLOCK ]
BBED> set offset 0
OFFSET 0
--//注意最好執行offset 設定,不然copy指令實際上從偏移處開始拷貝.
BBED> copy dba 301,521 to dba 1,521
Warning: contents of previous BIFILE will be lost. Proceed? (Y/N) y
File: /mnt/ramdisk/book/system01.dbf (1)
Block: 521 Offsets: 0 to 63 Dba:0x00400209
------------------------------------------------------------------------------------------------------------------------------------------------
06a20000 09024000 d7010000 00000106 fa520000 01000000 3b000000 73010000 00000000 01f80200 00000000 00002500 02000000 11024000 02004c00 18200000
<64 bytes per line>
BBED> copy dba 301,522 to dba 1,522
Block: 522 Offsets: 0 to 63 Dba:0x0040020a
06a20000 0a024000 d7010000 00000106 e81e0000 01000000 3b000000 bb010000 00000000 01f80200 00000000 00002500 02000000 20024000 04000700 15200000
BBED> copy dba 301,523 to dba 1,523
Block: 523 Offsets: 0 to 63 Dba:0x0040020b
06a20000 0b024000 d7010000 00000106 7b7e0000 01000000 3b000000 d0010000 00000000 01000300 00000000 00002500 02000000 27024000 04002f00 0f200000
--//OK.也可以這樣寫:
BBED> copy filename '/u01/backup/20170301B/system01.dbf' block 521 to filename '/mnt/ramdisk/book/system01.dbf' block 521
--//這樣方法隻要原來的system01.dbf是ok的,一般問題不大.
4.通過bbed修複方法二:
--//恢複删除辨別從0x3c=>0x2c,實際上這個要修改60條記錄還是比較麻煩的.
--//注意我前面的bbed參數設定
--//spool=y
$ cat d.cmd
set dba 1,521
x /rnnc *kdbr[0]
x /rnnc *kdbr[1]
x /rnnc *kdbr[2]
x /rnnc *kdbr[3]
x /rnnc *kdbr[4]
x /rnnc *kdbr[5]
x /rnnc *kdbr[6]
x /rnnc *kdbr[7]
x /rnnc *kdbr[8]
x /rnnc *kdbr[9]
x /rnnc *kdbr[10]
x /rnnc *kdbr[11]
x /rnnc *kdbr[12]
x /rnnc *kdbr[13]
x /rnnc *kdbr[14]
x /rnnc *kdbr[15]
x /rnnc *kdbr[16]
x /rnnc *kdbr[17]
x /rnnc *kdbr[18]
x /rnnc *kdbr[19]
x /rnnc *kdbr[20]
x /rnnc *kdbr[21]
x /rnnc *kdbr[22]
x /rnnc *kdbr[23]
quit
$ rm log.bbd
/bin/rm: remove regular file `log.bbd'? y
$ rlwrap -s 9999 -c -r -i $ORACLE_HOME/bin/bbed parfile=bbed.par cmdfile=d.cmd
...
$ grep flag log.bbd
flag@8167: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@8030: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@7641: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@7441: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@7058: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@6846: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@6641: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@6029: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@5823: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@5623: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@5402: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@5198: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@4915: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@4681: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@4434: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@3964: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@3756: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@3541: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@3261: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@2477: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@2272: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@1698: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@1489: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
flag@1290: 0x3c (KDRHFL, KDRHFF, KDRHFD, KDRHFH)
$ grep "flag" log.bbd | cut -c6-9 | xargs -I{} echo assign dba 1,521 offset {} = 0x2c
assign dba 1,521 offset 8167 = 0x2c
assign dba 1,521 offset 8030 = 0x2c
assign dba 1,521 offset 7641 = 0x2c
assign dba 1,521 offset 7441 = 0x2c
assign dba 1,521 offset 7058 = 0x2c
assign dba 1,521 offset 6846 = 0x2c
assign dba 1,521 offset 6641 = 0x2c
assign dba 1,521 offset 6029 = 0x2c
assign dba 1,521 offset 5823 = 0x2c
assign dba 1,521 offset 5623 = 0x2c
assign dba 1,521 offset 5402 = 0x2c
assign dba 1,521 offset 5198 = 0x2c
assign dba 1,521 offset 4915 = 0x2c
assign dba 1,521 offset 4681 = 0x2c
assign dba 1,521 offset 4434 = 0x2c
assign dba 1,521 offset 3964 = 0x2c
assign dba 1,521 offset 3756 = 0x2c
assign dba 1,521 offset 3541 = 0x2c
assign dba 1,521 offset 3261 = 0x2c
assign dba 1,521 offset 2477 = 0x2c
assign dba 1,521 offset 2272 = 0x2c
assign dba 1,521 offset 1698 = 0x2c
assign dba 1,521 offset 1489 = 0x2c
assign dba 1,521 offset 1290 = 0x2c
$ grep "flag" log.bbd | cut -c6-9 | xargs -I{} echo assign dba 1,521 offset {} = 0x2c > e.cmd
$ rlwrap -s 9999 -c -r -i $ORACLE_HOME/bin/bbed parfile=bbed.par cmdfile=e.cmd
..
--//最後執行:
BBED> sum apply dba 1,521
Check value for File 1, Block 521:
current = 0x4231, required = 0x4231
BBED> quit
--//其它資料塊dba=1,522 以及1,.523如法炮制.略.
BBED> set dba 1,521
DBA 0x00400209 (4194825 1,521)
BBED> x /24rnnc *kdbr[23]
....
BBED> x /2rnnc *kdbr[23]
--//我這裡顯示2條
rowdata[0] @1290
----------
flag@1290: 0x2c (KDRHFL, KDRHFF, KDRHFH)
lock@1291: 0x01
cols@1292: 3
col 0[2] @1293: 7
col 1[2] @1296: 7
col 2[189] @1299: CREATE INDEX I_TS# ON CLUSTER C_TS# PCTFREE 10 INITRANS 2 MAXTRANS 255 STORAGE ( INITIAL 64K NEXT 1024K MINEXTENTS 1 MAXEXTENTS 214748
3645 PCTINCREASE 0 OBJNO 7 EXTENTS (FILE 1 BLOCK 184))
rowdata[199] @1489
------------
flag@1489: 0x2c (KDRHFL, KDRHFF, KDRHFH)
lock@1490: 0x01
cols@1491: 3
col 0[2] @1492: 6
col 1[2] @1495: 6
col 2[199] @1498: CREATE CLUSTER C_TS#("TS#" NUMBER) PCTFREE 10 PCTUSED 40 INITRANS 2 MAXTRANS 255 STORAGE ( INITIAL 64K NEXT 1024K MINEXTENTS 1 MAXEXTE
NTS 2147483645 PCTINCREASE 0 OBJNO 6 EXTENTS (FILE 1 BLOCK 176))
BBED> set dba 1,522
BBED> x /21rnnc *kdbr[20]
BBED> set dba 1,523
DBA 0x0040020b (4194827 1,523)
BBED> x /151rnnc *kdbr[14]
--//重新開機資料庫看看.
Database opened.
--//OK.修複了删除bootstrap$導緻無法啟動的問題.