My friend’s MODx Evolution based website was hacked and he’s asked me to help him fix it. Every page of his website was “infected” with invisible links to viagra webshops. The code of those links was as follows:
<div style="position:absolute;left:-2311px;top:-2794px;"><a href="LINK">... viagra ...</a></div>
After quick investigation I figured out the malicious code (which generated those links) had been planted into the MySQL table “modx_site_plugins“. In our case it was inside “Quick ManagerManager” plugin code:
Basically, look for:
After removing the code I’ve also replaced the entire assets/cache/ folder with one from the MODx distributive.
I don’t know how exactly the hackers have planted this code, because the hoster did not keep any log files, but I can guess that the outdated version of MODx is the first thing to look at.