Civfanatics problems

[Sisiutil]

Here's what I get--similar but not quite the same as Ori's:

Spoiler :

<script src="/clientscript/vbulletin_css/style-944ecf91-00003.js"></script>
<html xmlns="http://www.w3.org/1999/xhtml" dir="" lang="">
<head>


<title>Civilization Fanatics' Forums</title>

<style type="text/css">
span.sortarrow {position:absolute;}
span.sortarrow img {border:0;}
a.sortheader {text-decoration:none; display:block; width:100%;}
</style>
<script type="text/javascript">
var IMGDIR_BUTTON = "";
</script>
<script type="text/javascript" src="clientscript/sorttable.js"></script>
</head>
<body>


<br /><br /><br />


<table class="tborder" cellpadding="" cellspacing="" border="0" width="70%" align="center">
<tr>
<td class="tcat"></td>
</tr>
<tr>
<td class="panelsurround" align="center">
<div class="panel">
<div align="">


<!-- main error message -->


<div style="margin: 10px">Unable to add cookies, header already sent.<br />
File: /usr/local/etc/httpd/forums.civfanatics.com/includes/init.php(298) : eval()'d code<br />
Line: 157<br /></div>


<!-- / main error message -->


</div>
</div>
<!--
<div style="margin-topx">
<input type="submit" class="button" value="" accesskey="s" onclick="history.back(1); return false" />
</div>
-->
</td>
</tr>
</table>

<br />


<!-- forum jump -->
<table cellpadding="0" cellspacing="0" border="0" align="center">
<tr>
<td></td>
</tr>
</table>
<!-- / forum jump -->


<br />



</body>
</html>

 

[Deckhand]

If anyone is still getting this, can they please right-click on the page, "view source" and post the contents?

Mine:

Spoiler :

<script src="/clientscript/vbulletin_css/style-944ecf91-00003.js"></script>
<html xmlns="http://www.w3.org/1999/xhtml" dir="" lang="">
<head>


<title>Civilization Fanatics' Forums</title>

<style type="text/css">
span.sortarrow {position:absolute;}
span.sortarrow img {border:0;}
a.sortheader {text-decoration:none; display:block; width:100%;}
</style>
<script type="text/javascript">
var IMGDIR_BUTTON = "";
</script>
<script type="text/javascript" src="clientscript/sorttable.js"></script>
</head>
<body>


<br /><br /><br />


<table class="tborder" cellpadding="" cellspacing="" border="0" width="70%" align="center">
<tr>
<td class="tcat"></td>
</tr>
<tr>
<td class="panelsurround" align="center">
<div class="panel">
<div align="">


<!-- main error message -->


<div style="margin: 10px">Unable to add cookies, header already sent.<br />
File: /usr/local/etc/httpd/forums.civfanatics.com/includes/init.php(298) : eval()'d code<br />
Line: 157<br /></div>


<!-- / main error message -->


</div>
</div>
<!--
<div style="margin-topx">
<input type="submit" class="button" value="" accesskey="s" onclick="history.back(1); return false" />
</div>
-->
</td>
</tr>
</table>

<br />


<!-- forum jump -->
<table cellpadding="0" cellspacing="0" border="0" align="center">
<tr>
<td></td>
</tr>
</table>
<!-- / forum jump -->


<br />



</body>
</html>

 

[ainwood]

Ok - thanks.i was hoping it could give me a steer as to what template the malware is being loaded from, but that is the standard error message template...

 

[Petek]

two more things going into the logs:



also the google secure browing api seems to be on to the site - as both goog-malware-shavar and goog-phish-shavar hash tags are sent along with the site request, which may cause trouble down the line if it does indeed identify this site as infected as I understand the descriptions (though I did not delve deeply enough into the api docs to know exactly what those actually mean).

As of right now, the Google Safe Browsing report for CivFanatics doesn't list any suspicious activity.

 

[Dachannien]

Looks like whatever the vulnerability was, it's still extant and got reinfected after Ainwood's earlier efforts a couple days ago. Or possibly it got knocked up multiple times before the initial problem was reported.

In any case, it might help to set the permissions for all of the vBulletin directories and the root directory to read-only, to prevent further reinfection, at least until the problems are figured out. Most vBulletin functionality is done through MySQL anyway, so it doesn't really need to add or edit files once you've installed it.

 

[ainwood]

I got support from Thunderfall, and he found and killed some more files, and did a thorough check of the templates.

 

[Deckhand]

Clicking on the link in email for this post brought up the error, as did refreshing that screen Pasting the link in the browser window successfully got me here.

 

[ainwood]

As a random thought, could you please clear your cache and try that again?

 

[Sisiutil]

As a random thought, could you please clear your cache and try that again?

Nope, didn't help.

One other thing: it just seems to be the "goto=newpost" command that's causing this; if I remove that from the url, the page opens fine--on the first page of the thread, though.

 

[ori]

I tested this on multiple machines now: once cookies are set you get in same is if the forum is in the cache - remove cookies and clear your cache and the message comes on on first connection - the link followed doesn't matter all that much in my tests.

 

[ainwood]

Which cookie? The CFC one, or the malware one?

 

[ori]

it worked when I just clicked on log out - closed the browser and then searched for something forums civfanatics thread whatever in google to follow any link to a thread - always just on first load. I did not remove cookies individually so far.

 

[ainwood]

And didn't clear cache either? I haven't been able to replicate it by just:
Click "logout".
Close browser tab.
Close browser.
Reopen browser.
Use google to find a CFC link.
Click that link.
CFC Page opens normally.

 

[The_J]

My cookies get cleared after closing the browser, and my cache is set to 0, and nothing happens when I go on CFC .
As previously said, the cookies also don't have that halifax entry anymore:

Spoiler :

Someone from the people who still get the error should maybe check if they get it or not (after deleting cookies and clearing the cache).

 

[ls612]

I just nuked the halifax cookie from my browser, and also saw something called _utma which I didn't recognize and also deleted. This is a serious problem both for the vast majority of users who haven't seen this thread yet as well as for the site if Google sees the infection.

 

[Adjuvant]

And didn't clear cache either? I haven't been able to replicate it by just:
Click "logout".
Close browser tab.
Close browser.
Reopen browser.
Use google to find a CFC link.
Click that link.
CFC Page opens normally.

I just now did it again, to see if anything had changed.

"Unable to add cookies, header already sent.
File: /usr/local/etc/httpd/forums.civfanatics.com/includes/init.php(298) : eval()'d code
Line: 157"

What was different this time, actually, refreshing didn't load civfanatics, it loaded the error message again. I couldn't actually load civfanatics page until i typed www.civfanatics.com in the bar.

Isn't there any way you can elevate this to vBulletin?

edit: btw, here's this.

Spoiler :

<script src="/clientscript/vbulletin_css/style-944ecf91-00003.js"></script>
<html xmlns="http://www.w3.org/1999/xhtml" dir="" lang="">
<head>


<title>Civilization Fanatics' Forums</title>

</head>
<body>


<br /><br /><br />


<table class="tborder" cellpadding="" cellspacing="" border="0" width="70%" align="center">
<tr>
<td class="tcat"></td>
</tr>
<tr>
<td class="panelsurround" align="center">
<div class="panel">
<div align="">


<!-- main error message -->


<div style="margin: 10px">Unable to add cookies, header already sent.<br />
File: /usr/local/etc/httpd/forums.civfanatics.com/includes/init.php(298) : eval()'d code<br />
Line: 157<br /></div>


<!-- / main error message -->


</div>
</div>
<!--
<div style="margin-topx">
<input type="submit" class="button" value="" accesskey="s" onclick="history.back(1); return false" />
</div>
-->
</td>
</tr>
</table>

<br />


<!-- forum jump -->
<table cellpadding="0" cellspacing="0" border="0" align="center">
<tr>
<td></td>
</tr>
</table>
<!-- / forum jump -->


<br />



</body>
</html>

 

[ainwood]

Can you try again, please?

 

[Adjuvant]

Can you try again, please?

Same deal, just now. I use firefox, btw.

edit: Does it maybe have to do with privacy settings? I have "tell sites I do not want to be tracked" and "never remember history". Maybe some advertising script somewhere between google and vBulletin doesn't like that.

 

[Sisiutil]

Same deal, just now. I use firefox, btw.

edit: Does it maybe have to do with privacy settings? I have "tell sites I do not want to be tracked" and "never remember history". Maybe some advertising script somewhere between google and vBulletin doesn't like that.

I was wondering the same thing. Still seeing the same behaviour, BTW.

 

[ori]

yeah, me too, doesn't get easier to track down with admins not being affected apparently. We are working on it though.