2016-03-08, 08:53:23
Something similar happened to a site of mine last year. Some advice (from a non-expert):
You may never know how the site was hacked, but there are only a few possible ways in. By ftp, through the GS login or through a script introduced via an insecure plugin or a contact form or something. I can tell you that Shawn has done a lot of work on security and if you are using the latest core GS it is very, very unlikely that GS itself was the vulnerable part of your site. It's worth changing all the passwords.
There may be files all over your server with innocuous names and it is difficult to check them all. Hopefully you have backups and you can delete everything and reinstall. Check the backup you reinstall from because sometimes these attacks are time delayed so you maight reinstall the rogue files.
You may never know how the site was hacked, but there are only a few possible ways in. By ftp, through the GS login or through a script introduced via an insecure plugin or a contact form or something. I can tell you that Shawn has done a lot of work on security and if you are using the latest core GS it is very, very unlikely that GS itself was the vulnerable part of your site. It's worth changing all the passwords.
There may be files all over your server with innocuous names and it is difficult to check them all. Hopefully you have backups and you can delete everything and reinstall. Check the backup you reinstall from because sometimes these attacks are time delayed so you maight reinstall the rogue files.