beavis - 4:01 pm on Feb 17, 2012 (gmt 0)
Thank you to all who have replied. This is certainly a challenging situation. Here is my plan of action so far. Please let me know if I am missing something:
1. Take down site ASAP. Once again, it is on a shared hosting account.
2. Delete all files in my account except actual databases that hold my CMS content, form processor data and forum.
3. Inspect above databases for malicious data.
4. Log in to my account at host and delete all current FTP accounts. Create new account with strong password. Change log in password to my host, too.
5. Re-upload site from original files held on my home computer. Just to be safe, inspect these files for malicious code, which I highly doubt is present.
6. Utilize new user names and passwords to connect to my databases, as hacker likely has my configuration files that hold my old database passwords.
7. Worry that shared server still has some malicious code on it! Most likely, the hacker did not compromise the whole shared server, rather just entered my account via hacked FTP, but there is no way to prove it.
8. Once site is rebuilt, visit malicious mirror site to see if it is still running or if removal of malicious code from my site took it down.
9. Either way, once my site is clean, contact Google to report URL of malicious site and hopefully have it de-indexed.