Here is the chat transcript with Apollo on May 25.

-
Carl Raschke: What were the dates of the logins last week?
Carl Raschke: Can you copy me here those dates?
Carl Raschke: If there is malware on the site that is flagged by google, and the index page is missing, could it be at any level in the site? Is there some way to find out where it is? There are a lot of files on the site.
Seena: I could see that most of your files are modified on May 14,May22
Seena: May 22 07:25:25 secure11 proftpd⁴⁶²⁴: secure11.apollohosting.com (88.250.164.83[88.250.164.83]) – USER craschke: Login successful.
Seena: You can find the IP in the log
Carl Raschke: Thank you. Now my question about finding the malware.
Seena: Carl , If you have a local back of your site you can just replace the current content
Carl Raschke: Can you also give me the login for May 14, so I can identify the IP at that date too. The malware was apparently installed between the 14th and the 22nd.
Seena: You have to check the code of your site , this may of several links or java script
Carl Raschke: What do you mean by this statement? Sorry, I don’t understand.
Seena: >>Now my question about finding the malware. . Malway may be some java script or serveral unwanted links
Carl Raschke: Okay. I understand. But can you give me the FTP log for May 14 also, so I can get the IP for that date too?
Seena: 88.250.164.83, 78.160.184.223
Carl Raschke: Thank you very much. I think that is all for now.
Seena: You can re upload the content and verify using www.google.com/webmasters/
Seena: once this is done, you can go to http://www.google.com/addurl/?continue=/addurl and request that google re-crawl the site
Seena: No problem
Carl Raschke: Thank you also for the extra tips.
Seena: its my pleasure . Please go through FTP security links I have given to make your connection secure
Carl Raschke: I have one more question. Can you check logs to see when the password for that domain was last reset?
Seena: Carl, I was checking the rotated logs and can see so many FTP access from MAy6 and may10
Carl Raschke: That must mean someone hacked in. Do you mean someone changed the password as well?
Seena: Normally if more than three incorrect login attempt result in the password lock for more security . Probably your FTP password might have because of this attempt . You can change the password from the control panel
Seena: For more security you can change the control panel password
Carl Raschke: I understand now how to increase security. What I’m trying to establish is from the log record whether it looked as if on May 6 and May 10 someone was trying to hack in with multiple password tries. Can you tell me what the log shows? Thank you.
Seena: May 6 04:07:57 secure11 proftpd⁷⁷⁶²: secure11.apollohosting.com (78.189.24.130[78.189.24.130]) – USER craschke (Login failed): Incorrect password.May 6 04:13:57 secure11 proftpd²⁴¹³³: secure11.apollohosting.com (72.51.147.81[72.51.147.81]) – USER craschke (Login failed): Incorrect password.May 6 04:20:57 secure11 proftpd²⁸⁷⁶⁸: secure11.apollohosting.com (121.200.78.131[121.200.78.131]) – USER craschke (Login failed): Incorrect password.May 6 04:21:00 secure11 proftpd³⁰⁴¹⁸: secure11.apollohosting.com (122.161.89.158[122.161.89.158]) – USER craschke (Login failed): Incorrect password.
Carl Raschke: Thank you. When was the last login for the control panel, other than this evening?
Seena: Carl , I am unable to find out this correct from this log and your username of the fTP and plesk seems to be same
Carl Raschke: Okay. Thank you. That’s all for now. I appreciate it very much.