cannot send session cookie-session cache limiter

Permalink
I have 24 C-5 sites on the same server. They range in versions 5.4.0.5 to 5.6.0.2.

17 of them are returning:
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /.../concrete/models/page.php(2181) : eval()'d code:2) in /.../concrete/startup/session.php on line 18

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /.../concrete/models/page.php(2181) : eval()'d code:2) in /.../concrete/startup/session.php on line 18

The 18th one, I checked index.php for spaces and blank lines, I reloaded "concrete" folder and now that site is returning:

Warning: require_once(/.../concrete/config/../libraries/loader.php) [function.require-once]: failed to open stream: No such file or directory in /.../concrete/config/base.php on line 496

Fatal error: require_once() [function.require]: Failed opening required '/.../concrete/config/../libraries/loader.php' (include_path='.:/usr/lib/php:/usr/local/lib/php:/home/XXX/public_html/libraries/3rdparty:/home/XXX/public_html/concrete/config/../libraries/3rdparty') in /.../concrete/config/base.php on line 496

I got lost on that include path. XXX = client folder name
I only know "pidjin" PHP . . . I am lost. Please help.

BTW: The other 6 sites (various versions)are fine. Go figure.

bluPaula
View Replies:
mnakalay replied on at Permalink Reply
mnakalay
Hello,

Usually this happens when a piece of code somewhere fails. What I mean is that the message you are seeing might be misleading.

maybe you should start by looking at your site.php in the root config folder.

Can you think of anything those sites have in common? Any change lately? Updated the themes? Added a new add-on? Any updates on the server itself?
jero replied on at Permalink Reply
jero
Have you made any changes to config/site.php? If you've included the closing ?>, and have blank lines after that you may get this sort of problem.
mnakalay replied on at Permalink Reply
mnakalay
Hi again, I just checked you website blueship.com which shows the error as well.

You might have a virus problem, my anti-virus blocked your website from loading saying there was a know threat from the file enfamilprintablecoupons.com / clicker.php

When I checked the source code for your page I could see some very suspect javascript in 2 different spots including one before the <html> tag (usually sign of foul play).

I think you need to run an anti-virus on your server
jero replied on at Permalink Reply
jero
Yup - looks like your site(s) have been cracked. concrete/startup/url_check.php should look like this (5.6.1):

<?php
defined('C5_EXECUTE') or die("Access Denied.");
if (REDIRECT_TO_BASE_URL == true) {
        $protocol = 'http://';
        $base_url = BASE_URL;
        if (isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == 'on')) {
                $protocol = 'https://';
                if (defined('BASE_URL_SSL')) {
                        $base_url_ssl = BASE_URL_SSL;
                } else {
                        $base_url_ssl = Config::get('BASE_URL_SSL');
                }
                if ($base_url_ssl) {
                        $base_url = $base_url_ssl;
                }


Check that it looks the same/very similar - and be highly suspicious of any lines of code that start with "eval"
bluPaula replied on at Permalink Reply
bluPaula
concrete/startup/url_check.php looks fairly familiar. This is from the 18th site which is V5.4.1.1

<?php 
defined('C5_EXECUTE') or die("Access Denied.");
if (REDIRECT_TO_BASE_URL == true) {
   $protocol = 'http://';
   $base_url = BASE_URL;
   if (isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS']) && ($base_url_ssl = Config::get('BASE_URL_SSL'))) {
      $protocol = 'https://';
      $base_url = $base_url_ssl;
   }
   $uri = $_SERVER['REQUEST_URI'];
   if (strpos($uri, '%7E') !== false) {
      $uri = str_replace('%7E', '~', $uri);
   }
   if (($base_url != $protocol . $_SERVER['HTTP_HOST']) && ($base_url . ':' . $_SERVER['SERVER_PORT'] != 'https://' . $_SERVER['HTTP_HOST'])) {
      header('HTTP/1.1 301 Moved Permanently');
bluPaula replied on at Permalink Reply
bluPaula
I checked a few source codes and the ones that had anything besides just the error codes all had the first javascript.

I'm not familiar with enfamilprintablecoupons.com not sure where that came from.

I did check root config/site.php and it looks fine.

These sites do not have the same themes, have not had anything other than a little content editing done on them for quite sometime.

I haven't heard back from hostgator yet. You guys are so responsive that I knew I'd have good info if I needed it when talking to them.
jero replied on at Permalink Reply
jero
Have a look at concrete/models/page.php - specifically line 2181. Possibly that file's had an eval statement planted in it.

The issue you've got is as mnakalay pointed out, is that there's some code injection going on which points to your sites having been compromised.
bluPaula replied on at Permalink Reply
bluPaula
Thanks Jero! I followed your direction and cleaned up concrete/models/page.php and that cleaned up blueship.com. I hope that's where the other 17 have the problem!
jero replied on at Permalink Reply
jero
Cool.

Next step is to figure out how they got in otherwise they'll only try again. I'd change all of your hosting account/cpanel/ftp passwords if you haven't done so already. It might wise to talk to your hosting provider and see if they have any ideas on how you got cracked, assuming your password wasn't easily guessed or a dictionary word etc.

Good luck