cannot send session cookie-session cache limiter
Permalink
I have 24 C-5 sites on the same server. They range in versions 5.4.0.5 to 5.6.0.2.
17 of them are returning:
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /.../concrete/models/page.php(2181) : eval()'d code:2) in /.../concrete/startup/session.php on line 18
Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /.../concrete/models/page.php(2181) : eval()'d code:2) in /.../concrete/startup/session.php on line 18
The 18th one, I checked index.php for spaces and blank lines, I reloaded "concrete" folder and now that site is returning:
Warning: require_once(/.../concrete/config/../libraries/loader.php) [function.require-once]: failed to open stream: No such file or directory in /.../concrete/config/base.php on line 496
Fatal error: require_once() [function.require]: Failed opening required '/.../concrete/config/../libraries/loader.php' (include_path='.:/usr/lib/php:/usr/local/lib/php:/home/XXX/public_html/libraries/3rdparty:/home/XXX/public_html/concrete/config/../libraries/3rdparty') in /.../concrete/config/base.php on line 496
I got lost on that include path. XXX = client folder name
I only know "pidjin" PHP . . . I am lost. Please help.
BTW: The other 6 sites (various versions)are fine. Go figure.
17 of them are returning:
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /.../concrete/models/page.php(2181) : eval()'d code:2) in /.../concrete/startup/session.php on line 18
Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /.../concrete/models/page.php(2181) : eval()'d code:2) in /.../concrete/startup/session.php on line 18
The 18th one, I checked index.php for spaces and blank lines, I reloaded "concrete" folder and now that site is returning:
Warning: require_once(/.../concrete/config/../libraries/loader.php) [function.require-once]: failed to open stream: No such file or directory in /.../concrete/config/base.php on line 496
Fatal error: require_once() [function.require]: Failed opening required '/.../concrete/config/../libraries/loader.php' (include_path='.:/usr/lib/php:/usr/local/lib/php:/home/XXX/public_html/libraries/3rdparty:/home/XXX/public_html/concrete/config/../libraries/3rdparty') in /.../concrete/config/base.php on line 496
I got lost on that include path. XXX = client folder name
I only know "pidjin" PHP . . . I am lost. Please help.
BTW: The other 6 sites (various versions)are fine. Go figure.
Have you made any changes to config/site.php? If you've included the closing ?>, and have blank lines after that you may get this sort of problem.
Hi again, I just checked you website blueship.com which shows the error as well.
You might have a virus problem, my anti-virus blocked your website from loading saying there was a know threat from the file enfamilprintablecoupons.com / clicker.php
When I checked the source code for your page I could see some very suspect javascript in 2 different spots including one before the <html> tag (usually sign of foul play).
I think you need to run an anti-virus on your server
You might have a virus problem, my anti-virus blocked your website from loading saying there was a know threat from the file enfamilprintablecoupons.com / clicker.php
When I checked the source code for your page I could see some very suspect javascript in 2 different spots including one before the <html> tag (usually sign of foul play).
I think you need to run an anti-virus on your server
Yup - looks like your site(s) have been cracked. concrete/startup/url_check.php should look like this (5.6.1):
Check that it looks the same/very similar - and be highly suspicious of any lines of code that start with "eval"
<?php defined('C5_EXECUTE') or die("Access Denied."); if (REDIRECT_TO_BASE_URL == true) { $protocol = 'http://'; $base_url = BASE_URL; if (isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == 'on')) { $protocol = 'https://'; if (defined('BASE_URL_SSL')) { $base_url_ssl = BASE_URL_SSL; } else { $base_url_ssl = Config::get('BASE_URL_SSL'); } if ($base_url_ssl) { $base_url = $base_url_ssl; }
Viewing 15 lines of 26 lines. View entire code block.
Check that it looks the same/very similar - and be highly suspicious of any lines of code that start with "eval"
concrete/startup/url_check.php looks fairly familiar. This is from the 18th site which is V5.4.1.1
<?php defined('C5_EXECUTE') or die("Access Denied."); if (REDIRECT_TO_BASE_URL == true) { $protocol = 'http://'; $base_url = BASE_URL; if (isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS']) && ($base_url_ssl = Config::get('BASE_URL_SSL'))) { $protocol = 'https://'; $base_url = $base_url_ssl; } $uri = $_SERVER['REQUEST_URI']; if (strpos($uri, '%7E') !== false) { $uri = str_replace('%7E', '~', $uri); } if (($base_url != $protocol . $_SERVER['HTTP_HOST']) && ($base_url . ':' . $_SERVER['SERVER_PORT'] != 'https://' . $_SERVER['HTTP_HOST'])) { header('HTTP/1.1 301 Moved Permanently');
Viewing 15 lines of 19 lines. View entire code block.
I checked a few source codes and the ones that had anything besides just the error codes all had the first javascript.
I'm not familiar with enfamilprintablecoupons.com not sure where that came from.
I did check root config/site.php and it looks fine.
These sites do not have the same themes, have not had anything other than a little content editing done on them for quite sometime.
I haven't heard back from hostgator yet. You guys are so responsive that I knew I'd have good info if I needed it when talking to them.
I'm not familiar with enfamilprintablecoupons.com not sure where that came from.
I did check root config/site.php and it looks fine.
These sites do not have the same themes, have not had anything other than a little content editing done on them for quite sometime.
I haven't heard back from hostgator yet. You guys are so responsive that I knew I'd have good info if I needed it when talking to them.
Have a look at concrete/models/page.php - specifically line 2181. Possibly that file's had an eval statement planted in it.
The issue you've got is as mnakalay pointed out, is that there's some code injection going on which points to your sites having been compromised.
The issue you've got is as mnakalay pointed out, is that there's some code injection going on which points to your sites having been compromised.
Thanks Jero! I followed your direction and cleaned up concrete/models/page.php and that cleaned up blueship.com. I hope that's where the other 17 have the problem!
Cool.
Next step is to figure out how they got in otherwise they'll only try again. I'd change all of your hosting account/cpanel/ftp passwords if you haven't done so already. It might wise to talk to your hosting provider and see if they have any ideas on how you got cracked, assuming your password wasn't easily guessed or a dictionary word etc.
Good luck
Next step is to figure out how they got in otherwise they'll only try again. I'd change all of your hosting account/cpanel/ftp passwords if you haven't done so already. It might wise to talk to your hosting provider and see if they have any ideas on how you got cracked, assuming your password wasn't easily guessed or a dictionary word etc.
Good luck
Usually this happens when a piece of code somewhere fails. What I mean is that the message you are seeing might be misleading.
maybe you should start by looking at your site.php in the root config folder.
Can you think of anything those sites have in common? Any change lately? Updated the themes? Added a new add-on? Any updates on the server itself?