incrediBILL - 6:22 am on Jul 21, 2005 (gmt 0)

If you have a real hacker on your hands, which would open up a custom injected shell (assuming you're on some version of *Nix) via some outdated software with buffer overflow vulnerabilities there may be no trace whatsoever as there would be no FTP log, no SSH log, nor would it show up in the shell history.

First, via FTP sort the files on the server by date and anything recently modified will be immediately obvious.

If you're hacked, remove the code and set a trap in the event they come back.

You'll want your ISP to change a few files with "chattr +i *" which sets the immutable bit. Basically this means that nobody can alter the file unless you remove the immutable bit "chattr -i *" and this can't be done via FTP, only via the command shell. If you find new code injected back into your pages then you know they have unrestricted shell access via some vulnerability and it's a complete hack, you're not in control of the box at all.