最近有客户被MySQL删库勒索,现象如下:
1. 删除掉以前的库,并创建一个同名库,并且会创建一个read_me_recover_tn库,类似下图:
2. 在read_me_recover_tn库中有一个readme表,每个被删除然后创建的库里面也有一个readme表
3. 每个readme表内容类似信息类似:
| mysql> desc readme
-> ;
+-----------------+------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------------+------+------+-----+---------+-------+
| id | int | NO | PRI | NULL | |
| Message | text | YES | | NULL | |
| Bitcoin_Address | text | YES | | NULL | |
+-----------------+------+------+-----+---------+-------+
3 rows in set (0.01 sec)
mysql> select * from readme\G;
*************************** 1. row ***************************
id: 1
Message: I have backed up all your databases. To recover them you must
pay 0.008 BTC (Bitcoin) to this address: 15f9vdGBeT1NCMp6z9NxrQEEUxnYqRPvyC .
Backup List: xxxx_db, xxxx_db_test. After your payment email me at
dbrestore3195@onionmail.org with your server IP (xx.xx.xx.xx) and transaction
ID and you will get a download link to your backup. Emails without transaction
ID and server IP will be ignored.
Bitcoin_Address: 15f9vdGBeT1NCMp6z9NxrQEEUxnYqRPvyC
1 row in set (0.00 sec)
|
这类勒索和我以前介绍相关文章类似:
RECOVER_YOUR_DATA勒索恢复
A____Z____RECOVER____DATA勒索恢复
处理办法也完全相同:
建议先对系统进行镜像或者快照,然后按照先os层面恢复,如果效果不好,考虑block级别恢复的方法处理
)
)
——线程池)