you can go to twitter and search for c(a)ver(n)(dot)n(ms)u removing all the () of course.
That will show you the links to the hacked/hijacked pages.

The code on those pages shows that divs ( various div classes ) are being generated filled with keywords.or those keywords are being injected into already existing divs..
Without seeing the "backend", can't give you any better clues than that.

Search the site for the bad keyword strings ...that will tell you if the bad source KW list is on site ..if they don't show up in a site search then they are being called in from outside ..so look for script which is making off server calls too ..

Check "last change" dates for any that are wrong compared with known last change dates ( ie last time you or some one authorised worked on the site )..some times hackers leave easy clues ..

Oh and welcome to WebmasterWorld ..wish your first visit / post had been in happier circumstances.

HTH

This is making me crazy! Can't find any of the KW's in the site anywhere. Checked the DB also, nothing there. What's interesting is the university's sister site (Alamogordo) was hacked a couple of months ago by the same group, but they are running a wordpress site. And on our site, it is the Alamogordo's hacked page that is showing up under our domain. Alamogordo said they fixed the hack and it's not showing up on their site anymore but when I did a search on their site for some of the KW's they still show in the results but I get an error page when you click on them so I guess the pages don't exist any longer, guess their cache just needs a good cleaning.
When I ran the link that is on twitter through "Dr. Web" (it's a bug tracker) it said it was clean but that it was re-directing to a software site.

What should I look for that would show it's calling off server?

I'm not used to dealing with all this server stuff. :0)

Thanks for the help Leo!

Oh, & thanks for the Welcome, Hopefully I will have some happy things to share soon! :)

nmsua.edu appears to be where the problem started ..if I run a search using the nmsua.edu search box on the pages "cached" from your site..using non standard characters ( those that should have been "sanitized" out ).. Even before the search is run the browser tells me that it is downloading data from "nmsua.edu" ..IMO that is where the problem lies.

When the search is run .I get pages found carrying those "photo app sale" terms..but the links to the pages if clicked give 500 errors..

I presume you and Alamogordo share nmsua.edu backend ? ..again diagnosing "hacks" without access is nigh on impossible ..plus its 21.00 hours here and I'm due to be fixing dinner ..so wont be around consistantly .over the next few hours ..but others here will.
One other thing ..you say it was the same "group" ..how do you know ? did they leave "deface" tags on both sites ? ..

btw ..I also found references to your first mentioned site as a source of "software" on an article site ( they are still live ..you appear to have taken your site off line for now )..it appears they have been hacked in order to direct traffic to you ..

Large "sprawling" sites like .edus are frequently hacked for "parasitic" hosting and or warez or other illegal content, childpron dumps etc..as are sites that are little used ..

The Alamo site and ours are not hosted on the same server nor do we use the same CMS so I'm not sure how they got tied together in the hack other than they are spin offs from the main branch of the University. I think I will dump our site and reload the back up from last week to see if that helps. I'll also contact the IT at Alamo to see if they can do the same.

I say same "group" only on an assumption because of the similarity in the hack.

Thanks for the help, enjoy your dinner! :)

I'll update on the progress.

Take a look around the apache forum here when you have time..and also look for posts in general re security by rocknbil,incredibill,g1smd,jdMorgan,lammert,TMS ( and others who's names escape me for now ) g1smd especially for joomla ..

Normally we don't discuss specific security problems here ..( never know if some wannabee script kiddie ..might go playing with "matches" that they found here )..and so rarely even get into the kind of "it might be this" that we two just did ..but it seemed urgent to give you some pointers ( even if from "outside" the server its like examining let alone trying to get a sound out of a violin wearing mittens and welding goggles ) ..best of luck trying to sticky g1smd :) ..incredibly helpful member..very respected ..but mailbox always full to bursting.

Well, still no resolution...... :( I'm just perplexed! I'm going to try and PM somebody for more in depth assistance.

Quick question for anyone that is familiar with Joomla. When I take the site offline in the admin area, it shouldn't allow connections to any pages within the site correct? So if the hacked page is within the site it should not be accessible? The fact that it is says to me that it is not residing within our Joom site. (of course I'm sure there is a hack to override the 'offline' mode for said page).