I have a number of websites on a Windows 2008 server running IIS 7.5 that have got hacked - webmater tools says url injection.
e.g. domain.com/6/brrsaeps/ would display a page with lots of words about ugg boots and links etc.
I removed all the malicious looking files from the server.
The malicious url's still loaded.
I then moved all the site files from the root directory of the site - so there was nothing in that folder - the homepage of the site didn't load or any other content - but the malicious url's loaded (but without the css files for styling)
I then update the basic site settings in IIS to point to the folder I had moved the contents to - the website worked fine and the malicious url's don't load any more.
Where is the issue here - I don't understand how the malicious url's loaded when there was no files in the root of the site?