Home page of my Magento site is hacked. A hacker put his javascript and html code in design/head/includes of table core_config_data. Somehow he updated value of design/head/includes from NULL to his script that's why home page of the site is showing what he wants to show.
I have removed this value and my site starts appearing again.
There is no data loss in database, neither he has updated any code file. Only this value has been updated in database.
Admin and database passwords are quite strong. I am not sure how he updated this.
Another thing is when I give 755 permission to the folder var, the hacked page starts visible again and when I give 777 permission to var, the site starts appearing normally. I am not sure, from where the hacked page is visible. I have cleared cache from admin and removed inside content of cache too but still changing permission of var makes that hacked page available instead of home page.
I am not sure how this is happening.
Please help.