jka Posted November 27, 2017 Share Posted November 27, 2017 I noticed it this morning. On the checkout page as well as basket I see a line of gibberish all the way at the top. Not sure why and where this is coming from. I did a view source and this gibberish is ahead of the 1st line of the code. �f�z+u��j[��H�����j�[j���-jY����z�ږ��,�@-(.�ǭ���*+�&������i�^��k�Ǭ���z�.�Q)����z�ږ珕��y�]jx�zkhʋ�m�$z�h��y�F,�@-+&j�rj�"�p�HK!���LL�m�� <!DOCTYPE html> I went into maintenance, cleared all cache etc into sql cache. Not sure where this gibberish is generated from but it does not show up on the product pages. Quote Link to comment Share on other sites More sharing options...
jka Posted November 27, 2017 Author Share Posted November 27, 2017 I also notice this gibberish is at the top of the page when there are products int he basket. When the cart is emptied, the gibberish is not seen. Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted November 27, 2017 Share Posted November 27, 2017 Looks to me like code has been injected into your files. This might have been done if the server was hacked and malicious code appended code into writable files. Quite often there are two reasons hackers do this. 1. To steal traffic by redirecting your users to their site. 2. To force virus downloads. Please check the source code hasn't been tampered with. Quote Link to comment Share on other sites More sharing options...
jka Posted November 27, 2017 Author Share Posted November 27, 2017 Al, I just checked the source files and didnt notice any files being changed or modified. This only happens on the basket page as well as checkout page. Its not on other pages. Quote Link to comment Share on other sites More sharing options...
jka Posted November 27, 2017 Author Share Posted November 27, 2017 I just noticed, you had said "writeable files". Can you please point me in the direction for writeable files for checkout/basket? Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 27, 2017 Share Posted November 27, 2017 Depends how much 'permission' the intruder (if that is what happened) was given. For example, using the file editor tool in a hosted account's control panel (Cpanel) has a lot of permission to make edits to files. In this particular scenario, almost all files are 'writable'. Also, an intruder (or script) can easily have the operating system reset the file's date/time stamp to make it appear that nothing was changed. Also, I believe CC6 is coded to not send any HTTP headers until templates have been populated with data and control is about to be turned over to Smarty to render and output the templates. If something is outputting rogue content (and received by your web browser), there will be some default headers sent prematurely. The consequence of that is that when PHP is told to send the real headers, PHP will complain about "Headers already sent". This complaint will show in PHP's error log and possibly in CubeCart's admin Error Log listing. However, if a skin template file has been compromised, there will be no "Headers already sent" error. Also, it will be somewhat unlikely that the rogue content would appear at the top of the screen. Examine the contents of box.basket.php, box.basket.content.php, content.checkout.php, and main.php. Examine everything. Quote Link to comment Share on other sites More sharing options...
jka Posted November 27, 2017 Author Share Posted November 27, 2017 So, I went ahead and renamed the skins/template folder and reuploaded the templates folder all over again. So its a brand new templates folder. The same gibberish (same content) shows up on the top of the basket and checkout when products are in it. I recently had to update all my admin files for 6.1.4. Any chance this is db related issue where something is corrupted? Quote Link to comment Share on other sites More sharing options...
jka Posted November 27, 2017 Author Share Posted November 27, 2017 So, I went into the vanilla skin. Here is what I found in the browser debug mode.... "�f�z+u��j[��H�����j�[j���-jY����z�ږ��,�@-(.�ǭ���*+�&������i�^��k�Ǭ���z�.�Q)����z�ږ珕��y�]jx�zkhʋ�m�$z�h��y�F,�@-+&j�rj�"�p�HK!���LL�m��" = $0 One more image .... Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 27, 2017 Share Posted November 27, 2017 You are saying this is appearing in more than one skin. The top image looks like Vanilla, and the second image is probably a Foundation or Foundation clone. In the first image. I see that the rogue content is showing in the HTML source immediately after the ColorBox code (added by the ColorBox javascript plugin), and just before the <div id=page_wrapper"> statement in the template. The second image, I presume that the rogue content is at the very top of the HTML source. But CC6 does not process a skin any differently depending on the skin. I cannot explain why this content would appear in different places. Quote Link to comment Share on other sites More sharing options...
jka Posted November 28, 2017 Author Share Posted November 28, 2017 (edited) Hello BSmither, It shows up right on the 1st line of the <body> its almost like a variable=$0 with the variable being gibberish Edited November 28, 2017 by jka Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 28, 2017 Share Posted November 28, 2017 Is there a web address we can see this happening? In your first post, you show that the content appears above the <!doctype html> tag. In the vanilla skin, it appears just after the <body> tag, withe the ColorBox javascript then later adding its code just after the <body> tag. Quote Link to comment Share on other sites More sharing options...
jka Posted November 28, 2017 Author Share Posted November 28, 2017 Bsmither, When the cart is empty, the gibberish on the top line doesnt appear. Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 28, 2017 Share Posted November 28, 2017 When at ?_a=basket or ?_a=confirm, when the cart is empty, there should be, other than the surrounding boxes, nothing but "Your basket is empty" message. So, look at the contents of the file /classes/cubecart.class.php, at these functions: _basket(), _checkout(), and _displaybasket(). Quote Link to comment Share on other sites More sharing options...
jka Posted November 28, 2017 Author Share Posted November 28, 2017 Thats correct. All it says is that "Your basket is empty". (like normal) and the gibberish on the top doesnt appear once the basket is empty. The gibberish line only appears when there is an item in the basket. It doesnt appear when the basket is empty. I went and noticed further that the bad code did not appear when on the payment "gateway" page. Its appear on index.php?_a=basket and index.php?_a=confirm when there is items in the basket. Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 28, 2017 Share Posted November 28, 2017 Also, look in the folder /includes/extra/ for files that begin with snippet_. If any found, examine the contents of each. Quote Link to comment Share on other sites More sharing options...
jka Posted November 28, 2017 Author Share Posted November 28, 2017 Will do now. I just upgraded to the latest version 6.1.12 and it still displays the gibberish on those 2 pages when the items are in the basket. Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 28, 2017 Share Posted November 28, 2017 Ok, then we need to look at what code was not changed from the upgrade: images, plugins, and snippets. I am not ready to blame any databased product data. Quote Link to comment Share on other sites More sharing options...
jka Posted November 28, 2017 Author Share Posted November 28, 2017 Ah, Bsmither, I should have waited for your wonderful insight as usual before I upgraded a customized site. There was a file with snippet_ and that gibberish code was inside it. Should I just delete it? Deleting or renaming that snippet was a lost cause. It got created again. Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 28, 2017 Share Posted November 28, 2017 Now we need to learn what this snippet belongs to. Snippets are databased. If the snippet_hash.php file does not exist, it will be re-created from the data about that snippet stored in the database. In admin, Manage Hooks, Code Snippets tab, note the list of enabled snippets. Click the Edit icon of the snippet that you suspect. The details of the snippet should clue you as to what this snippet is supposed to do and who put it there. We either need to fix the snippet, or delete it (will be removed from the database). The snippet_ file should also disappear. Quote Link to comment Share on other sites More sharing options...
jka Posted November 28, 2017 Author Share Posted November 28, 2017 Its fixed now. This was the code snippet that was causing it. Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 28, 2017 Share Posted November 28, 2017 Did you repair it, or delete it? Quote Link to comment Share on other sites More sharing options...
jka Posted November 28, 2017 Author Share Posted November 28, 2017 I just "unchecked" that snippet and saved. The problem went away. I can go ahead and just delete it. Quote Link to comment Share on other sites More sharing options...
keat Posted November 28, 2017 Share Posted November 28, 2017 I've had snippets go wrong and do this. In fact I have a snippet for what appears to be the same thing. Last week i modified the snippet to increase the minumum order value, and it went bad on me, producing something very similar Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted November 28, 2017 Share Posted November 28, 2017 Sorry if I gave the wrong info. Did you upgrade your store recently? The setup process should convert code snippets to the correct encoding. Maybe it somehow got double encoded or something. The solution may be to just delete all "includes/extra/snippet_*.php" files. They will then regenerate automatically with correct code so long as the store has been upgraded properly and the setup process was run. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.