XF 2.0 .core files

[JoyFreak]

Guys I need your help!

There are .core files spamming my public_html folder and I spoke to my hosting provider and they said it's related to a script. What is it? How do I find the cause of it? How do I stop it!

Thanks!

 

[Chris D]

I’m not familiar with the files you’re referring to. XF doesn’t create any .core files.

 

[RobParker]

.core is the file produced when for example your text editor has crashed and dumps it's "core" isn't it?

 

[JoyFreak]

Hmmm, what about Xenforo Add-ons? Can they cause it?

@RobParker I have no idea! I just want it to stop!

 

[Chris D]

You’d have to inspect the contents to see if there’s any clues as to where they’re coming from.

 

[JoyFreak]

When I open it via notepad it just a load of gibberish, can't read it.

 

[Bryan]

I don't know if this is still the case but PHP used to generate core files when a script caused the process to end unexpectedly.

 

[JoyFreak]

Thank you for getting in touch.

Core files are memory dumps of a process that crashed, in this case, probably PHP.

This is caused by a flaw in the PHP interpreter implementation and not necessarily due to anything malicious taking place.

You can freely delete those files. However, have in mind that those are clear indication something is wrong with your PHP code.

So I checked where those core files are bing generated from and it seems all of theme come from the same thead:
Code:

[~/public_html]# for i in `cat corefiles.txt | awk '{print $9}'` ; do strings $i | grep "^HTTP_REFERER" ; done;
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/admin.php
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/feature-edit
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/
HTTP_REFERER=https://www.gnonline.net/threads/first-screenshots.15634/

I then checked which script is creating them and it seems most of them are generated from a file called proxy.php located in the root of your public_html folder
Code:

[~/public_html]# for i in `cat corefiles.txt | awk '{print $9}'` ; do strings $i | grep "^REQUEST_URI" ; done;
REQUEST_URI=/css.php?css=public%3Anormalize.css%2Cpublic%3Acore.less%2Cpublic%3Aapp.less%2Cpublic%3Afont_awesome.css&s=58&l=1&d=1517677881&k=117647f732cdceedf6b7ebc9092c02a1a3b0a1a1
REQUEST_URI=/admin.php?add-ons/s9e-MediaSites/icon
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FkLudcYN.jpg&hash=5bb3723ce886d3c22e33bbe6f4da4b91
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FbVnuo6s.jpg&hash=104bb8af125cef8187a9eeeec45af1d6
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FbVnuo6s.jpg&hash=104bb8af125cef8187a9eeeec45af1d6
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FbVnuo6s.jpg&hash=104bb8af125cef8187a9eeeec45af1d6
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FkLudcYN.jpg&hash=5bb3723ce886d3c22e33bbe6f4da4b91
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FEEGMkiV.jpg&hash=908fafcd14ea6b5f4628cfdb6ac9eaa9
REQUEST_URI=/css.php?css=public%3Aalnb_navigation.less%2Cpublic%3Abb_code.less%2Cpublic%3Alightbox.less%2Cpublic%3Amessage.less%2Cpublic%3Anotices.less%2Cpublic%3Ashare_controls.less%2Cpublic%3Asnog_flags.less%2Cpublic%3Ath_reactions.less%2Cpublic%3Aextra.less&s=58&l=1&d=1517677881&k=76636f65b7ee4436c351562beb88e3aacfbc6876
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FkLudcYN.jpg&hash=5bb3723ce886d3c22e33bbe6f4da4b91
REQUEST_URI=/css.php?css=public%3Aalnb_navigation.less%2Cpublic%3Abb_code.less%2Cpublic%3Alightbox.less%2Cpublic%3Amessage.less%2Cpublic%3Anotices.less%2Cpublic%3Ashare_controls.less%2Cpublic%3Asnog_flags.less%2Cpublic%3Ath_reactions.less%2Cpublic%3Aextra.less&s=58&l=1&d=1517677881&k=76636f65b7ee4436c351562beb88e3aacfbc6876
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FkLudcYN.jpg&hash=5bb3723ce886d3c22e33bbe6f4da4b91
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2F02WE5Hr.jpg&hash=15713d94a206fed427dafbe56addba10
REQUEST_URI=/threads/first-screenshots.15634/feature-edit)%20%7D%7D
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2F02WE5Hr.jpg&hash=15713d94a206fed427dafbe56addba10
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FkLudcYN.jpg&hash=5bb3723ce886d3c22e33bbe6f4da4b91
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FbVnuo6s.jpg&hash=104bb8af125cef8187a9eeeec45af1d6
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FEEGMkiV.jpg&hash=908fafcd14ea6b5f4628cfdb6ac9eaa9
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FEEGMkiV.jpg&hash=908fafcd14ea6b5f4628cfdb6ac9eaa9
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FC8BAGGD.jpg&hash=08c667ddda62c75e313947033b6f3bc3
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2Fil77cxD.jpg&hash=f2582fea41edd820c3010e1a2bab171c
REQUEST_URI=/css.php?css=public%3Aalnb_navigation.less%2Cpublic%3Abb_code.less%2Cpublic%3Alightbox.less%2Cpublic%3Amessage.less%2Cpublic%3Anotices.less%2Cpublic%3Ashare_controls.less%2Cpublic%3Asnog_flags.less%2Cpublic%3Ath_reactions.less%2Cpublic%3Aextra.less&s=58&l=1&d=1517689835&k=76636f65b7ee4436c351562beb88e3aacfbc6876
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2F02WE5Hr.jpg&hash=15713d94a206fed427dafbe56addba10
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FC8BAGGD.jpg&hash=08c667ddda62c75e313947033b6f3bc3
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FkLudcYN.jpg&hash=5bb3723ce886d3c22e33bbe6f4da4b91
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2Fil77cxD.jpg&hash=f2582fea41edd820c3010e1a2bab171c
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FkLudcYN.jpg&hash=5bb3723ce886d3c22e33bbe6f4da4b91
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2Fil77cxD.jpg&hash=f2582fea41edd820c3010e1a2bab171c
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FkLudcYN.jpg&hash=5bb3723ce886d3c22e33bbe6f4da4b91
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FbVnuo6s.jpg&hash=104bb8af125cef8187a9eeeec45af1d6
REQUEST_URI=/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FrkT1V6S.jpg&hash=7241afbf7833e4dc85c4609c802fb594

I hope this information is useful and you can provide it to your developer.

Of course if you need any further assistance do not hesitate to contact us again.

 

[Bryan]

I just loaded that page and the console threw up this error:

(index):2913 GET https://www.gnonline.net/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FC8BAGGD.jpg&hash=08c667ddda62c75e313947033b6f3bc3 500 ()

 

[JoyFreak]

I have no clue what that means, what do I do?

 

[Bryan]

It seems ok now? I'm no longer getting the error and the missing pictures have appeared.

 

[Bryan]

Ok I was wrong:

proxy.php Failed to load resource: the server responded with a status of 500 ()

It seems on certain refreshes it is not able to fetch the pictures and on others it's fine.

 

[JoyFreak]

You mean the thread 'First Screenshots'? It has always worked for me, and I checked the console and no error. However, another core file has been produced just now.

 

[JoyFreak]

Is it to do with the add-on s9e-MediaSite?

 

[Bryan]

As a temporary fix, download the images and insert them as attachments.

 

[Bryan]

Is it to do with the add-on s9e-MediaSite?

Disable it and see if it stops.

 

[JoyFreak]

Ok I disabled it, can you go on that thread and play around, see if you find any issues now?

 

[Bryan]

GET https://www.gnonline.net/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FkLudcYN.jpg&hash=5bb3723ce886d3c22e33bbe6f4da4b91 500 ()
GET https://www.gnonline.net/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FrkT1V6S.jpg&hash=7241afbf7833e4dc85c4609c802fb594 500 ()

Took a while to get them but yes I still get them.

 

[Bryan]

I've just checked one of the larger sites I work with, they have thousands of linked images via proxy.php and there are no core files.

 

[JoyFreak]

Yup, two core files produced.
Shows one more add-on on that list, I disabled it, let's try one more time!