MODx Evolution: removing spam links

My friend’s MODx Evolution based website was hacked and he’s asked me to help him fix it. Every page of his website was “infected” with invisible links to viagra webshops. The code of those links was as follows:

<div style="position:absolute;left:-2311px;top:-2794px;"><a href="LINK">... viagra ...</a></div>

After quick investigation I figured out the malicious code (which generated those links) had been planted into the MySQL table “modx_site_plugins“.  In our case it was inside “Quick ManagerManager” plugin code:

quick-managermanager

Basically, look for: @eval(@gzuncompress(@str_rot13(@base64_decode(

After removing the code I’ve also replaced the entire assets/cache/ folder with one from the MODx distributive.

I don’t know how exactly the hackers have planted this code, because the hoster did not keep any log files, but I can guess that the outdated version of MODx is the first thing to look at.

This entry was posted in Solutions and tagged . Bookmark the permalink.

10 Responses to MODx Evolution: removing spam links

  1. Modx Shit says:

    Thanks for this post, really helpful !!!

  2. Holger says:

    Thank you for posting this. I had the same issue. I think they got in through the Forgot Manager security issue which has been fixed since Evo 1.0.9 or 1.0.10. A fast way to get the links out of the pages is to deactivate the quick manager manager and quick manager plugins. Then I recommend also deactivate the Forgot Manager plugin and blocking the access of your initial admin. Do not forget to create yourself a new admin user first. ;) – Also, check for new admin users, hackers might have created. – Eventually, you have to update to the latest Evo release.

    The whole link spamming hack is just pointless: Google will instantly detect that it is a spam hack and will not forward PR to those sites, nor will Google panelize the hacked site for this. We are not in 2005! The hacker has obviously no clue of SEO … ;)

  3. Gary says:

    I’ve had several of my modx installs hacked like this…

    one of them has several thousand links pointing from other hacked sites that then redirected to a pharmacy site, so thats a few thousand dummy pages in google and several thousand links from other sites… needless to say we’ve run foul of penguin and it’s taking weeks to clean up

    this was on a site I specifically upgraded so it wouldn’t be vulnerable, but then the forgotten manager plugin was still a problem seemingly

    be careful out there, this isn’t a harmless hack

  4. Simon says:

    Thanks for posting this…. just helped us out really quickly identify a problem for a new client that came to us with this.

  5. Thank you so much! After several of hours – of couldn’t figure out where the links were implemented from. Your blog came in really handy.

    Ass Holger says! Disable the Quick Manager, and your problem is solved. However it might also be smart to make sure the links are deleted from the database.

  6. George Rowe says:

    Thanks Dae, found the offending plugin and removed :)

  7. Pingback: Spam Links in alter Modx 0.9.1p2 Version entdeckt - Icomundo

  8. Lasse Jensen says:

    Thanks a bunch! Found the code in modx_site_plugins too, however the plugin was called something with xPDO (forgot exactly and didn’t do a screenshot), i.e. appearing like a ‘valid’ MODX extension but obviously malicious.

  9. David Cook says:

    Thanks so much for your post! You pointed me in the right direction and inspired me to dig deeper. I found that a new plugin had also been inserted called “Highlight Search”, containing code that made these links point to the external site. I’ve described my steps taken here:
    http://webmasters.stackexchange.com/questions/57606/site-hacked-redirecting-to-other-site/88793#88793

Leave a Reply to Gary Cancel reply

Your email address will not be published. Required fields are marked *