I'm helping out with a site that was hacked (because I've used IntegraMod a lot, not because I know what I'm doing <img>). Here's a quick run down of the situation.
The site was hacked, so the current webmaster went through looking for files that didn't belong. He thinks he got them all.
A couple of days later, he got an e-mail saying that his site had been hacked and giving this address:
.../images/avatars/onlineid-sessionload/cgi-bin/sso.login.controllernoscript=true/sessiondid=2335454893_Secured152388884&Update/index.htm
That page didn't load.
This morning, this URL was in his logs..
.../images/avatars/onlineid-sessionload/cgi-bin/sso.login.controllernoscript=true/sessiondid=2335454893_Secured15
He doesn't remember deleting anything out of the avatars directory, but he might have just forgotten.
We have FTP access and File Manager access through cPanel. If we're not seeing it, it's not there, right? I'd rather hear from a knowledgable person's mouth rather than rely on my common sense. I realize that doesn't mean it's not comign back, but as for right now...