Malware:SPAM:SEO – (MODx Evolution: removing spam links)

MODx Evolution based website has been detected hacked. Every page of his website showing “infected” with invisible links to viagra webshops. The code of those links was as follows:

<div style="position:absolute;left:-2311px;top:-2794px;"><a href="LINK">... viagra ...</a></div>

After quick investigation I figured out the malicious code (which generated those links) had been planted into the MySQL table “modx_site_plugins“.  In our case it was inside “Quick ManagerManager” plugin code:

Basically, look for: @eval(@gzuncompress(@str_rot13(@base64_decode(

After removing the code I’ve also replaced the entire assets/cache/ folder with one from the MODx distributive.

Malware checking link:

Leave a Reply

Your email address will not be published. Required fields are marked *