My site was defaced ("hacked"). Now what?

Basics

Attacks can happen in a variety of ways. Even if the only web application running on your server is Drupal, it's possible that the attacker used a different method of gaining access to your server to deface your site.

Rule out other attack vectors

• May not be Drupal at all, but FTP, ssh, or other attack vectors.
• check if you weren't defaced directly using your FTP account. Really a lot of attacks are now coming from virus affected computers, specifically if you are using Total Commander with saved passwords. Symptoms for this type of attack: Your site now prints a "PHP Parse error: parse error" message in index.php and you find a strange <iframe> or <script> in index.php with a link to some .cn domain. Disconnect your computer from internet in that case, install antivirus software, perform a scan, delete all passwords from Total Commander and change all your passwords, including FTP and system accounts.
• Check Apache's logs for suspicious activity. This might indicate a vulnerability in a web application and possibly Drupal.
• Other applications on the server
• Other accounts on a shared server
• Make sure you are not running an out-of-date Drupal version
• Check the recent security announcements for Drupal core and contributed modules. Would any of them enable the kind of attack that happened to your server?
• ?

What to report to the Drupal security team

• Drupal version
• List of contributed modules and their versions
• Apache/PHP versions
• Do you maintain your site via FTP? If not, is your site accessible using FTP?
• Name of your hosting company
• Permissions on the files in your Drupal directory (e.g. from ls -l in the Drupal installation directory)
• ?