Hi, @altemporal

Many thanks for your replying. I will try later.

Bsaed on the OP's description and that of many of the responders on this thread, it's probably safe to assume that your system has been compromised by attacks targeting files with fixes provided from Magento by either SUPEE-5344 or SUPEE-5994.  Unforunately, as I discuss below, installing the fixes will not resolve your problem.  They only stop future attacks, They DO NOT DO ANYTHING TO FIX A SYSTEM THAT IS ALREADY COMPROMISED.

We've remediated many sites since these exploits were released and to assist the community in responding to them we've documented our research to provide a list of 18 known attack signatures so that you can check your systems for evidence of them and respond accordingly.  Keep in mind we've never seen two compromises that are exactly the same, so there's a chance your particular system might be slightly different - if you discover anything on your system that we don't already have documeted, please share that with us so we can update the attack signature guide.

We're working on a toolkit to automate the remediation of these item but it may be a week or two until it's ready for distribution.  In the meantime, we're sharing the knowledge we've acquired working through these compromises with everyone in the community in an effort to make sure everyone is as safe as can be expected.

I'm including a 3-Step Compromise Response Process below that we've worked over and over again to get consistent results.  The key assumption you're going to have to make is that you can't know what has or hasn't been compromised until you diff the files in your system against the default source code provided by Magento or a copy you have made in your (Git / Mercurial / SVN) repository.  YOU SHOULD ASSUME that your database and logins have been compromised and go change them all.

We provide a link to a guide we've uploaded to our GitHub repo that is tracking the 18 signatures we have been able to clearly identify in the wild that relate to these most recent security announcements.  You should go through each and every one of them to see if you can find anything that matches.  If so, you can follow the instructions to either delete or replace the compromised file or delete or update your database to replace the affected data.  It's in PDF format now, but we should have it converted to Markdown by tomorrow.

CRITICAL NOTE: Installing the patches from Magento WILL NOT help you if you have already been compromised.  At best, it will stop ADDITIONAL compromises of the known types, but if you are already compromised then you'll have to BOTH install the patches and remediate your system as we highlight below.

Let me know if you discover anything not included already in that guide - we're trying our best ot keep up with the latest developments on this topic and happily welcome any contributions from the community.

Phase 1: Identify the scope of your compromise.  Each and every one of the items I list below are signatures we've discovered on compromised Magento sites specicifally relating to the SUPEE-5344 and SUPEE-5994 vulnerability announcenments.  You need to go through each one and check to see if you find any evidence on it on your system.  Many of them are enough by themselves to allow an attacker to re-enter your systen after you patch it, so you'll have to be dilligent and make sure you don't skip anything or fail to remediate it.

Phase 2: Delete what you must, and replace what you can : use the original files from your repository or the Magento source files.  If you're not running one of the latest versions, you can still use the Magento download page to grab older version sources from their site.

Phase 3: RESET Credentials: Inventory every use of a login name and password remotely related to your deployment and reset them all, including

1. Merchant Account Loigins and API Keys
2. Magento Admin Logins & Passwords
3. Email account credentials
4. LDAP / AD  / Primary Authentication System Passwords
5. EVERYTHING

- You can be reasonably sure that the preceding steps will help you purge infected fies but you can not know if passwords have been sniffed or key logged or the victim of some other attack, so resetting all related credentials is the safest option if you are going to attempt to remediate a compromised system. 

The guide is too long to post in this response but the PDF can be downloaded immediately at our GitHub reopsitiory.

Sincerely,

Bryan “BJ” Hoffpauir

<< Signature to be setup in your profile >>

There's another easier possibility... Is your compiler enabled? If so, try disabling it. Here's how to do that without the admin: https://kb.magenting.com/content/24/81/en/disable-magento-compiler.html

I would add that unless you're running 1.5 or lower, you would be best served by disabling the compiler completely...It doesn't really offer the performane benefits it used to on modern Magento versions and can, in fact, result in performance impairment.  It also makes debugging issues with 3rd Party Plugins significantly more difficult and time consuming.

i have the same problem also with my admin page. I am looking to find someone who can fix my site for me, I am not tech savvy enough to install patches and edit settings. I am using 1.7. version of magento.   I have tried using magento connect, but it crashes my site when I try to add security patch, I believe my error comes from being hacked also.

Thank you,

Steven

Steven, I'd be happy to chat with you to see if we might be able to help.  I am tied up this morning until around 12 PM CST, but you can email me at bj@comitdevelopers.com and let me know how to reach you directly and when you might be free and I'll reach out as soon as I can.

If you want to minimize the potential impact, I'd suggest putting your site into maintenance mode or asking your host to do that for you or disable inbound traffic util you can arrange a follow up so you won't be taking orders while exposing customer credit cards to further risk of attack. 

 But don't worry too much, these things happen and can be resolved. Even if it's not the most plesant part of being an online merchan, remember everyone in this community has to deal with something like this at one point or another.  

Looking forward to hearing from you soon so we can figure out how we might be able to assist!

- BJ Hoffpauir - CTO @ Comit Developers 

Hi,

I'm having this problem after upgrading to 1.9.2.

There seems to be a problem wih the menu. When checking the source, the last line of the source is "!-- menu start -->".

Also, when I remove the content of app//design/adminhtml/default/default/template/page/menu.html everything is displayed well, except the menu of course..

Did anyone found a solution?

Best regards,

Paul

I found the following error message:

Fatal error: Class 'Mage_Xmlconnect_Helper_Data' not found in /var/www/app/Mage.php on line 547

By the way, this error was shown after upgrading to 1.9.2.0

Best regards,

Paul

Can you go to the /var/log/ folder and see if you have a system.log or exception.log file there?  If you take the last few entries in that file and review them or paste them here (be careful to make sure there's no sensitive data in them before pasting here) or send them to me via private message I'll review them and give you my input.

A little bit of contect around that error may help to narrow our troubleshooting efforts, which is why I'm asking for the file. 

I also found this discussion: http://magento.stackexchange.com/questions/14628/fatal-error-class-mage-xmlconnect-helper-data-not-f...

It was closed, but they did suggest attempting to disabkle caching and clearing the cache - you can do that either via the M=n98-magerun utility or bu ssh'ing into your server and running the command line script to reset cache:

$ cd <magento_installation_folder>/shell/
$ php -f cleanCache.php clean all

This may also provide specific error messages when run.