Detecting and Removing Quick ManagerManager Malware in Evolution CMS

If a strange manager plugin appears and hidden links start showing up, treat the site as compromised immediately and rotate from cleanup into hardening.

This donor documented a serious compromise pattern: hidden links in output, a suspicious plugin named Quick ManagerManager, a rogue support user, unauthorized manager login behavior, and even a web shell endpoint.

Observed Indicators

Hidden off-screen link blocks injected into page output
Unexpected manager plugin code with encoded payloads
A suspicious support user account
Special query-string endpoints for sitemap leakage, manager access, or shell behavior

Immediate Response

Take the site out of normal rotation if possible.
Remove the malicious plugin and unknown accounts.
Audit all manager users and reset credentials.
Update the site and any vulnerable extras immediately.
Review logs to understand when the compromise began.

This kind of donor is exactly why legacy Evolution CMS projects need security maintenance, not just feature work. Once a site has been compromised, recovery is only the first step; hardening must follow.

Newer post

Fixing AjaxSubmit Compatibility with jQuery 1.9

If AjaxSubmit stops working after a jQuery upgrade, inspect removed APIs and legacy event assumptions before blaming the form snippet itself.

Older post

Why eForm Works on Some Pages but Not Others

When eForm sends mail only from selected resources, look beyond SMTP and inspect template structure, parser errors, and page-specific markup differences.