The first step you should follow is save the raw logs for your site to your home computer. You can download the rawlogs like so:
1) Login to cpanel
2) Click on 'Raw Access Logs'
3) Click on the domain you wish to download the logs for, and save to your local computer
The second step would be to open up a helpdesk ticket in the abuse & security department, and attach the logs to the ticket. Please be as descriptive as possible with a description of what you found that makes you think your site was hacked, and what times you noticed them at, as well as a list of all installed php scripts with applicable names and versions used on your hosting account.
This makes our investigation of your issue much quicker as we potentially have the logs for the incident in your ticket, as well as an idea of what time frame we should be examining your logs for to find the attacker's IP and actions.
It is also recommended that you enable archival of your raw logs to your home directory for a month after an incident so we can investigate any further activity of the attacker, or the possibility of further abusive activity to your domain in general. We will do our best to find the vector of attack, however it is always possible for the attacker to exploit multiple problems in your scripts. The archival makes it easier for us to collect further data after the incident for use in any potential legal proceedings as well.
- 4 Users Found This Useful