IntegraMOD

I'm helping out with a site that was hacked (because I've used IntegraMod a lot, not because I know what I'm doing <img>). Here's a quick run down of the situation.

The site was hacked, so the current webmaster went through looking for files that didn't belong. He thinks he got them all.
A couple of days later, he got an e-mail saying that his site had been hacked and giving this address:

.../images/avatars/onlineid-sessionload/cgi-bin/sso.login.controllernoscript=true/sessiondid=2335454893_Secured152388884&Update/index.htm

That page didn't load.

This morning, this URL was in his logs..

.../images/avatars/onlineid-sessionload/cgi-bin/sso.login.controllernoscript=true/sessiondid=2335454893_Secured15

He doesn't remember deleting anything out of the avatars directory, but he might have just forgotten.

We have FTP access and File Manager access through cPanel. If we're not seeing it, it's not there, right? I'd rather hear from a knowledgable person's mouth rather than rely on my common sense. I realize that doesn't mean it's not comign back, but as for right now...

i answer only cause my sense is not common
anyhow good luck solving this

check all files and subdirectories in the images/avatars and compare it with a clean install. For example, download a clean version of integramod and compare its images/avatar directory.

Sometimes the hacker will include a file that doesn't look suspicious but which is actually a script. For example, a .jpg file may not actually be a picture but a script. They may also do stuff like put a .htacess file in there that doesn't belong, etc.

So just double check the folder and look for stuff that doesn't belong.

Also you should download putty co you can see your files from the command line. You should have somekind of shell access to your server because in some cases a hacker will upload bits which can't be deleted through FTP, you will need shell access to see and delete the files.

Thanks for the help, all.