Every time, a hacker would mutilate the index.htm, index.php or index.html file in public_html and also "exult" by appending "Hacked by" somewhere.
Run the following script via cron on a regular base to discover whether an index file in any user public_html directory was hacked or not.
Just copy this code into a file, save it somewhere as hackers.sh, chmod 755 and run via cron daily.
#!/bin/sh for i in `cat /etc/trueuserdomains| awk {'print $2'}`; do grep -rl "Hacked" /home/$i/public_html/index.htm; done | mail -s "Infected Files" your@emailaddress for i in `cat /etc/trueuserdomains| awk {'print $2'}`; do grep -rl "Hacked" /home/$i/public_html/index.html; done | mail -s "Infected Files" your@emailaddress for i in `cat /etc/trueuserdomains| awk {'print $2'}`; do grep -rl "Hacked" /home/$i/public_html/index.php; done | mail -s "Infected Files" your@emailaddress