Has your outdated wordpress or other shrinkwrapware been compromised? (Yes >.>)
After taking steps to shut down the site you should probably use the find command to check to see if there are any unusual files which have been uploaded recently. If you scramble to close the hole and do updates before this step you will likely end up drowning any suspects in the results.
If you don’t remove, for example, a phishing page before plugging the hole you:
- May never find out it’s there
- Are contributing to phishing
- One day your ISP will probably forward you a sternly worded letter from the victimized institution and threaten to drop your service if the page is not removed in 24 hours
Use your imagination if it’s something worse, like a rootkit or webshell.
It is necessary to determine the earliest possible time the attack could have taken place. It won’t kill you to add a day or two for safety.
# find /var/www/localhost/htdocs/ -type f -ctime -X
Where X is the number of days to look back.