I have a site on a server that has been hacked. At first i thought it was a permissions error on the directory, but I went through and looked at all of the file permissions.
This is a server that was setup by someone else and the site was migrated to the server. I'm working in expressionengine and I tried to update the expressionengine version and thought I had gone through every file and whamo it started showing up again.
I will say however that when upgrading I switched the "system" files to be hidden below the root and that does not look to be infected after this second wave of files.
I can ssh into the server and I have FTP access, user logs in the control panel looked normal and there were no abnormal logins to the site or the control panel.
Where should I start? what should i search for?