No announcement yet.

Unable to add cookies, header already sent - site hacked?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Unable to add cookies, header already sent - site hacked?

    I'm running vB 4.2.0 and, this morning, some of my users began reporting an issue which soon seemed to impact all users, who get one of the below messages:

    Unable to add cookies, header already sent.
    File: /mnt/stor9-wc1-dfw1/623714/626033/
    Line: 3

    Unable to add cookies, header already sent.
    File: /mnt/stor9-wc1-dfw1/623714/626033/
    Line: 3

    This includes my access to the Admin panel.

    Since then, the site seems to have been black-listed as hosting malware.

    All a bit worrying.

    Interestingly, only about a week or so ago, I started using CloudFlare to try and add an extra level of security to the site.

    Any clues or help to try and understand what has happened and how to get up and running again would be appreciated.

    In case it matters, I'm hosted with Rackspace Cloud Sites in the States.

  • #2
    Yes, it does appear you have been hit with a malware infection, like due to an exploit although hard to know if it is from vBulletin, a 3rd party product, or something else on your server.

    Suggest following the steps Wayne lists in this post -

    But copied here-
    Originally posted by Wayne Luke View Post
    Originally posted by Mr Jolly View Post
    Does this really fix it for good?
    Doubtful. Can't fix it for good without knowing the vector it was inserted in. Since it can only be found via a database search and not by looking in the footer template, the exploit points to a direct database insertion either via remote access to the database or through a plugin installed in the system. The following steps will check your code for compromises.

    1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

    2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

    3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

    4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

    5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

    6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

    Query for step 4 and 5 -
    SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

    7) Run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

    It checks the templates for compromising code.

    8) Check .htaccess to make sure there are no redirects there.
    I would also suggest disabling hooks while cleaning this out-


    • #3
      It looks like I've been hit again... ...even though I've had all hooks permanently turned off since the last time, above. Slightly concerned how the bad guys are getting in!


      • #4
        Hooks disabled won't protect you if the exploit is in a 3rd party mod that has its own php pages on your server. You need to make sure all are up to date or deleted from your site. Also did you contact your host? It may be coming from outside your account.

        Are you running the latest patch for 4.2.0? (PL3)


        • #5
          Hi Joe - yes, I'm running 4.2.0 PL3.

          When I got proper access tonight I had a poke around my file system. All that seems to have been updated is class_bootstrap.php which had a new timestamp on it.

          However when I copied it locally and diffed it against an untouched 4.2.0 PLS file, there were no differences at all so, presumably, the actual format of the file itself had become screwed due to some sort of rogue access to it. All very peculiar. As soon as I put the original file back the site was up and running without issue.

          I'll contact Rackspace to see if they can help at all. It also feels like it would be prudent to strip back all modifications completely and build them up from scratch again.


          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.