Possible Duplicate:
My server's been hacked EMERGENCY
My site has been hacked, but when I am looking at source files in ftp everything looks fine. My website address: zecel.com can anybody please guide me how can i fix it and avoid it in future.
Thank You.
First...wipe the system. Really. You can't trust system binaries anymore. It's like asking your brain to analyze itself. You can't objectively do it. Your system binaries could easily be compromised to hide what is actually going on.
By the time you sort everything out you could easily have rebuilt the thing three times.
Wipe the computer. Restore from backup. (what backup? If you're asking yourself that, you're in deeper trouble...you should probably rebuild the site from scratch and start making a really good backup...OFFLINE backup...plan).
Did you have all updates installed?
You didn't mention your platform/OS/etc. You also didn't mention what your website was (apache? What SQL version? PHP? virtual server, hosted, self-hosted, dedicated server, what kind of hack, how did you know it was hacked, what was in the logs...)
If you're really into trying to secure it, you should probably look at decent backups, checking every day for security updates, and install chkrootkit and rkhunter (if a Linux like platform) and something with a checksum for the files like tripwire.
You can also run audits on your system using Nessus or other vulnerability scanners.
Check your logfiles and audit log files for unusual activity.
Were you able to log in remotely to it? Strong passwords? SSH? Install denyhosts and configure it for locking out unusual attempts to the system.
Check into what method you could use for detecting that you're getting slammed by particular IP's or port scan attempts and firewall them.
Overall...need more info, and you need to wipe the system and reinstall from backups or scratch and get all updates installed. Monitor for file changes. Monitor your logs. Websites really can be run as just a set up and forget thing, but if you're a sysadmin, it takes actual work to run a website "correctly," and it takes maintenance. Even a simple website can be a PITA to keep running and updated.
You can also subscribe to some security lists specializing in your platform of choice (your web server, OS, if you're running SQL or PHP or a specific BBS platform) so you can comb the mailings for vulnerabilities specific to your platform.
Having your website defaced and having your server hacked are a bit different. But you have to understand the attack. For instance if it was just an SQL injection then the only thing really affected by the attack was the database. Restoring the database from a known good backup or manually removing the malicious code that was inserted into the database is normally sufficient. And patching the program that allowed the injection to begin with. This would normally be an out of date version of WordPress or similar database driven framework.
Now if someone managed to brute force a password or log in and manually edit your pages then as Bart indicated you should talk to your provider as they will be in the best position to determine what the risks involved and take appropriate action. But I agree with the system can't be trusted point that Bart makes in general it's a good idea. With shared hosting though that's going to be up to the provider.
There are a lot of problems with this question that make it difficult to help you. In particular, we don't know exactly what you mean by "all the contents have been changed". Since by your own question we know that the contents on disk appear to be unmodified, this suggests that your website was not actually hacked and that something else is going on.
The first question to ask is, "am I really looking at the website I think I am?" That is, does the URL you are entering in your browser really correspond to the system that hosts your website? If there has recently been a change in DNS this may not be the case.
One way to verify this would be to watch your Apache access log whilst making a request (that is, loading a page). If you see the request in your access log then it is at least not a DNS problem. If you do not see the request, then you need to figure out what system you're actually talking to.
Without more information we can't really help you.
