That is quite possibly the limit of damage, but you might want to use your FTP program to compare date stamps on all files in the /skins/ folder including all files in any skins you have in the /skins/ folder.

Alternatively, and much easier, delete your entire /skins/ folder from your server and upload clean copies from your local backup copies. You do have backup copies of all the files I trust?

By the way consider the same for all files in your installation's root directory. Oh and any directories you've got opened up to 777 if there are any. /media/ is a good place to assume some evil has been done, though I don't think anything bad in /media/ can do damage to what gets displayed by index.php or a stub file.

Thanks. Actually they modified my index.php and blogX.php where X= valid blog entries. Also modified /htsrv/trackback.php and may have added a file called .ftpquota

These files all had 755 permissions. Don't they need that to be able to execute the blog code or can I clamp them down tighter? Not sure how they got access to the files when there was only write access for the owner.

Thanks again,

Henry

I've no idea how folks get in and do bad things other than my own experience: 777 on /media/ opens a door to anyone else on the same shared server.

Password got out or was guessable maybe?

Oh ftpquota might be a real file. I've got copies of that on some servers I get to play with, but not all of them. Dunno what it is or does, but I'd bet ya half a loaf of slightly stale bread google does :)

Thanks EdB,

I ended up re-installing (and uprading to 2.7 at the same time). The permissions on those files by default is 644 so I'll just keep them that way.

The real pain is that I got temporarily dropped from Google index for "violating" TOS. Could have been worse though.

Thanks again,

H.