MODx Evolution based website has been detected hacked. Every page of his website showing “infected” with invisible links to viagra webshops. The code of those links was as follows:
<div style="position:absolute;left:-2311px;top:-2794px;"><a href="LINK">... viagra ...</a></div>
After quick investigation I figured out the malicious code (which generated those links) had been planted into the MySQL table “modx_site_plugins“. In our case it was inside “Quick ManagerManager” plugin code:
Basically, look for: @eval(@gzuncompress(@str_rot13(@base64_decode(
After removing the code I’ve also replaced the entire assets/cache/ folder with one from the MODx distributive.
Malware checking link: http://sitecheck.sucuri.net