[mixedbit]

One problem is that a truly full cleanup of a hacked website should in theory include manual cleanup of all clients' caches (not really practical). Otherwise, malicious index.html (for example with JavaScript that sends cookies to an attacker) could remain cached by the clients forever.

[sgentle]

That's a really interesting point, I'd never thought of that. Worse still, you could do some trickery with app cache manifests to prevent cache cleans/page refreshes from fixing it, maybe even forever.

I spent a bit of time messing around with that approach, and came up with this: https://github.com/sgentle/hackcache