unfortunately this kind of sh*t happens
What to do?
- Report the attack with all details that seem worth mentioning here in the forum! On the one hand, other's might give useful additional information, and on the other hand, it might make the developers aware of existing security issues.
- investigate how the site has been hacked:
- Did the attacker gain access to your hoster's website configuration?
Were any changes made in this configuration? Were you the last one who logged in? - Did the attacker obtain your FTP login credentials?
Were any modifications made, that couldn't be done through CMSimple (even in the back-end)? Typically any modifications to index.php and particularly to files that the webserver process is not allowed to write to. - Did the attacker obtain the CMSimple password?
Were logins from foreign IP addresses recorded in cmsimple/log.txt? Were modifications made, that are typically done through CMSimple's back-end? - Did the attacker use a security hole in CMSimple or a plugin to manipulate the site?
When there's no evidence, that one of the former has happened, this might be well how your site's was being hacked. - Did the attacker use a security hole or even a malicious website hosted on the same server?
That's possible, if scripts on different domains are executed by the same user (typically when PHP is run by mod_php), or you've set write permissions for files and folders for everbody (666 resp. 777), and there are no other security measures in place (such as safe mode, open_basedir).
Use a search engine to look for details about concrete evidence of the hack (e.g. if a file 123hack.php was created on the server, google for the file name) - Did the attacker gain access to your hoster's website configuration?
- Eliminate the vulnerability resp. reduce the security risk:
- Change your password (use a strong password, that you don't use anywhere else). Contact your hoster about the incident, and ask, if there are additional measures you can take to avoid been hacked this way again.
- Change your FTP password (use a strong password, that you don't use anywhere else). Don't store the password in the FTP client.
- Change your CMSimple password (use a strong password, that you don't use anywhere else). Remove write permissions from all files and folders that don't need them for normal CMSimple use.
- Look for an appropriate security patch; otherwise report the vulnerability. If a plugin is the source, try to contact the author. If no security patch is available, remove the plugin.
- If every domain executes PHP as another user, set your file and folder permissions to at most 755 resp. 644. Otherwise contact your provider to prohibit access from other domains on the same server. You might consider to rent your own virtual server (VPS).
- Delete the old site completely (their might be hidden leftovers from the attack) and restore the site from a recent "clean" backup.
Christoph
PS: See also http://www.google.com/webmasters/hacked/.