My site was defaced ("hacked"). Now what?

Basics

Attacks can happen in a variety of ways. Even if the only web application running on your server is Drupal, it's possible that the attacker used a different method of gaining access to your server to deface your site.

Rule out other attack vectors

• May not be Drupal at all, but FTP, ssh, or other attack vectors.
• check if you weren't defaced directly using your FTP account. Really a lot of attacks are now coming from virus affected computers, specifically if you are using Total Commander with saved passwords. Symptoms for this type of attack: Your site now prints a "PHP Parse error: parse error" message in index.php and you find a strange <iframe> or <script> in index.php with a link to some .cn domain. Disconnect your computer from internet in that case, install antivirus software, perform a scan, delete all passwords from Total Commander and change all your passwords, including FTP and system accounts.
• Check Apache's logs for suspicious activity. This might indicate a vulnerability in a web application and possibly Drupal.
• Other applications on the server
• Other accounts on a shared server
• Make sure you are not running an out-of-date Drupal version
• Check the recent security announcements for Drupal core and contributed modules. Would any of them enable the kind of attack that happened to your server?

What to report to the Drupal security team

• Drupal version
• List of contributed modules and their versions
• Apache/PHP versions
• Do you maintain your site via FTP? If not, is your site accessible using FTP?
• Name of your hosting company
• Permissions on the files in your Drupal directory (e.g. from ls -l in the Drupal installation directory)