It depends upon the motive of the attacker. If you were targeted specifically, its possible the attacker will first attempt to hide their presence on the system, and then remain there quietly observing, altering files or using it as a . . .
It depends upon the motive of the attacker. If you were targeted specifically, its possible the attacker will first attempt to hide their presence on the system, and then remain there quietly observing, altering files or using it as a stepping stone to launch further attacks. If however you just happened to be running a specific un-patched piece of software, for which a vulnerability / exploit code was recently published, its likely your server was only compromised because it was an easy target. In this case your index page was probably renamed, and new one left in its place carrying some (relevant at the time) political message from the defacer. Along with the appearance of your page in its altered state, for all to see at one of the defacement mirror sites such as Zone-H or Delta 5 Security.

The first scenario would require a custom response given the specific circumstances, which is why the second is usually preferable, leaving the systems administrator with a clear course of action:

The link for this article located at RootSecure is no longer available.