Site compromised: ZMEU attack - mysql

My site has been compromised with ZmEu attacks. In the logs I find suspicious user agents named - ZmEu.
The site returns 500 internal server error. There are no related error logs in the apache error log.
There are several dummy files all over in my server. I removed all of them.
But still the site is down.
What is the main target for such attacks?(What files are modified and how do I get them back?)
Where should I look to fix the issues?
If anyone has undergone such situation please give your advise.
update: Its wordpress site which is not working. There are other apps in sub directories which are working fine.
Thanks in advance,

You restore from a backup in this situation.
It will be tough to sort through and reverse everything 100%. The hacker could have even changed the modification times on the files, so you'll never be able to tell what has been accessed or not, without combing through every line.

Related

How do I add a Remote Connection to Ionos Database for ExcelforMySQL?

I have a database that I have created for a friend of a mine that he would like to store his data and work directly from on a daily basis. Recently I came across ExcelforMySQL and thought this would be a perfect AddIn for him to use.
I have successfully linked the AddIn to the database (Xampp Local connection) and this loads up fine but when I move the database onto a webserver that I have with ionos(1and1) and enter the Host Details along with the Username and Password, I get the following error:
Connection attempt failed.
Unable to connect to any of the specified MySQL hosts.
When I click Show Details:
All it says is One or more errors occurred.
Would really appreciate it, if somebody could advise on how to fix this, as I really want to be able to work live on the data and update the changes from the user directly in Excel if possible and this addin looks like it does that.
If anyone has any other suggestions then I am happy to hear them as not fussed as what is used as long as it works.
Thanks
I had a similar problem to yourself with a number of my own sites/DB's hosted on Ionos. After a bit of searching through their help they state that access from outside your Ionos package is not possible. Unfortunately we're stuck with their hosted version of PHP My Admin in the control panel.
Although I have found that MySQL-front works great and bypasses the Ionos restrictions. Google is your friend...
Maybe a bit late for you but for others who come across this question as I said google is your friend...

InfoPath 2010 not Returning Data from Access dB

I have been working on a submission form for two of our employees' to enter tax data. It is an InfoPath 2010 form, which is connecting to an Access 2010 accdb. The purpose of the form is to pull related data from two source tables (one from the old dB that was used, and the other from APX which houses additional information) to prefill as many fields as possible. Everything works fine when running it from my computer, or directly off our server. The problem I am running into now, is that our two users have access to the files, can open them with InfoPath Filler, but upon opening, they get the "InfoPath cannot connect to the data source...". The funny thing is, is that last week, they were able to connect and submit data with no problem (then one day I came back from lunch and it no longer worked). How I had to originally set them up was to create a certificate, make the forms full trust, added both user ID's as being able to have read write access. When I run the form from my desktop it works without a hitch. I even tried remapping to a mdb to see if it was a version issue. The dB is stored on a shared domain, \testdomain\, for arguments sake. Then they access the form via the same directory. Just to note, SharePoint is not connected in any way. All the searches I have done have yielded no solutions. I am thinking it is a networking issue, and have a meeting with the network admin in a few hours. But, what I can't figure out, is how it worked before, and not now. Does anyone have any suggestions or thoughts on what could be causing this? Just to clarify, I can run the same xsn form they run, from the same server location, without having the issue they do. I truly appreciate anything anyone might be able to offer!
Ok, finally figured out what was causing the problem (totally feel dumb). Apparently the servers used randomly get backed up, and when they do, the permissions get overwritten. If anyone else runs into this, review the access permissions for the directory and all the files. Thanks Nathan for your advice!

Unwanted code being inserted into pages

Some of our ColdFusion sites are having the words "coupon" inserted into their footer with a link to another site. Is there anything I can do to prevent this? Is there any software I can run to help detect any vulnerabilities? It doesn't seem to be SQL injection as the databases seem fine and nothing unusual is showing up in the logs.
There are several variations of attacks that produce this sort of result (appending a link to some malicious or nefarious site). For example, this one (Script Injection) uses the latency between a file upload and checking to insert executable code on your server.
Other attack vectors include FTP (which is why you should not use it), or other file transfer protocols. In your case the infected machine may not be the server. It could be a client machine with access to the server - a developer who has set up FTP to the server for example.
Let me know if you need formal help - we have a good track record fixing this sort of thing. If you get more clues post them and I'll try to help. I will warn you that if this is a server infectionit is at the root level and is so pervasive your only option is to start with a pristine install and reinstall your code. Bad news I know - sorry :(
We had something similar happen when one of our servers was hit by the hack Charlie Arehart describes here:
http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat
Have you had these patches?
Another option that I would recommend is searching your site(s) for any use of the <cffile> tag that isn't expected. I had a customer that somehow got a single file that was a backdoor to their site. It was particularly dangerous because it could upload files to any location on the server as well as execute any SQL command against any datasource on the server. In other words, this single file opened the door to all of the sites and databases that were running on that server.
This backdoor file (which was named vision.cfm) was often used to update footers with links to coupon and spam sites. vision.cfm was only 210 lines of code.
The entire server had to be sanitized after this was discovered.

Websites running very slow

we have a vserver problem that started all of the sudden yesterday.
If you go to this Website:
http://www.rightsfreeradio.de
You will notice that it needs ages to load.
This happends to all websites we have running on the vserver.
I was asking the Provider if there is any problem with their connections, but they dont have any problems.
If I log in to FTP its running fast as usual
only all web based applications and websites are running very slow.
Running "top" shows that mysql takes like 70%+ on the CPU, but Iam not sure if thats normal or not.
Do you have any ideas what could be wrong with the server?
What programming standards are you using. I opened link but did not open it.
Either there may issue with server. Or another cas is:
Check any js, css file taking time to load
Put unncessary imported files at the end of body tag
On load are you calling any function which may be prone to deadlock getting blocked?
Make sure to use HTML Validator to correct your HTML etc.
Also make sure all scripts are working fine or to debug. Take off all the script files imported and go from there.
Link doesn't open at all.
first, I suggest you to restart all service on your server and then:
check mysql error log as you say above
tail -f /var/log/mysql.log
and then, check your databases
mysqlcheck -Aor
and you can follow this link bellow
Show top five CPU consuming processes with ps

Can't edit table row in phpmyadmin

I've just had an issue with a client's site they couldn't login to an admin area I built for them. I verified this and went straight into the database via phpmyadmin.
I thought I'd try to edit the admin password and see if something has gone wrong here. I've clicked edit (pencil icon) however I don't get the row to edit I get the following...
Column | Type | Function | Null | Value
and a go button, no edit options, no row data, I click go and get an error:
tbl_replace.php: Missing parameter: goto
I'm guessing there is some kind of database issue going on here. I've tried a Check Table and an Analyze Table, with no results output.
Not really sure what's going on here, I've never come across this before.
Any ideas? Sorry if it's a bit vague I've tried to include as much info as I could as simply as I could.
[UPDATE]
I think I've found the culprit to a few issues on my vps, including database and my clients website etc. I found that my tmp directory is full. Old sessions and misc files not being cleared. This could very well be the cause. I have one file '.cpanel_easy-.bLfpq2ZYoTbdcY_c' that I can't identify that is taking up a whole lot of space, if I knew what this was I could possibly fix my issue.
I can confirm that the issue I was having was caused by the tmp directory on my VPS being full. It was filled with old temporary install files and a bunch of sessions (hundreds) and other miscellaneous files mainly from software updates but a whole bunch from various Wordpress installations, I'm guessing plugins with some messy coding that don't clean up after themselves.
Thanks to those that helped out.