The first thing i noticed was that Administrator account passwords were changed, So i instantly knew something was wrong.

Since i usually store main settings in a file for faster access , i just opened FTP to look at the time stamp associated with the file. This showed me the last modifed date of the file and an approximate idea when the hacker changed the details.

Next step was to dig up the raw access logs from CPanel , After downloading the access logs for that specific file i opened them in PSPad ( My fav editor ) . Logs are not small of busy sites so you will be looking at a very large amount of data.

But i knew specific url which can be used to change the settings so i just did a Ctrl-F and put in the url with a POST prefix , as a form has to be submitted to change settings . This gave me a few instances of that URL with POST request.

Now looking at the time stamp i was able to find out when the hacker did the settings change. Means I had the IP.Doing another another CTRL-F on the IP and pressing list put all the hacker logs in another window , which makes its easy for us to go step by step at his efforts to crack the system.

After going from the start i noticed after certain URL he suddenly had got access to the admin section , And once i put in the url myself, i knew what the problem was.

And so it was fixed.