I've got a site which I recently upgraded to Evo 1.0.15. It was hacked somehow - my hosting account got suspended for excessive database calls, there was a huge number of spammy files in my public_html directory, and the core.inc.php file had a bunch of crazy stuff in it.
This is the first time I've dealt with something like this. The site uses Jot, but doesn't have web users or allow file uploading. It doesn't store any sensitive information.
I deleted the spammy files, I uploaded a new core.inc.php file, set all new database passwords, and upgraded to Evo 1.0.15. (It was previously running an older version, Evo 1.0.5, maybe.) I was hoping that would do it.
But today I got another notice from my host, saying that my database access had been suspended due to excessive calls. They included a log file, which I don't really understand, but it shows the database username for this one site as making all the excessive calls. (I have a dozen or so sites on the server, some WordPress, but most MODx.)
I've deleted the whole folder for that site (I have backups), and deleted the database username, but not the database. I have copied a fresh MODx install in its place, and copied over just the images and media from the assets folder of the old site. I cannot install yet, as my database access is still blocked.
My plan is to install, then copy content over from the database, but I don't know what is safe to copy. I don't want to copy infected stuff and go through this all over again. I don't know what I'd even be looking for. I was hoping someone could give me some info or resources on what tables I might have to be careful about, and what I'd be looking for.