My websites and client websites were hacked yesterday, 16 December 2012. It only showed 'hacked by hacker' on the home page and I couldn't access the admin.
The following files were compromised and I restored them from my back up:
header.php in my theme
index.php in my theme
index.php in the main folder
.htaccess in the main folder
(I am using 'Responsive' child theme by the way)
My site shows again but i can't access the admin log in form. Some of my text widgets are displaying default text rather than my own content, and my CSS file seems to be modified as well. The 'WP site-name' php shortcodes also seem to be corrupted, as it no longer shoes 'Copyright 2012 MY SITE NAME', but shows "© 2012 +ADw-/title+AD4-hacked by hacker+ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4"
cPanel shows the IP address and referring url of the hackers:
It corresponds to the file modification dates. The above link shows my site however... I've blocked them with cPanel you should probably do the same. I also updated WP via cPanel on one of my sites, but everything is not back to normal.
I have a backed up version of my site on my computer. I may ask my host to reset my server and then upload the backed up version and change all passwords and install plugins.
So annoying! These guys are losers.
Hope this helps anyone in the same situation. Anyone been able to restore their sites completely? Please share with us how you did it.