Lately i have been having trouble with old Umbraco sites not having the latest security updates. Weird files are added in the root of the site with spam links.
This is the workflow i use when security upgrade on Umbraco 4 or 6. I don't really have the guts to alter version 3 sites anymore.
Start off with making a backup on the database and the files of the site you are going to upgrade.
Download the latest release of the version you are upgrading. Extract into a folder, i usually just name the folder after the release (eg, "4.11.10"). Then create a new folder called "upgrade" and copy the following files and folders over:
Open up a code diff program. I use Code Compare. With Code Compare you can open up two folders and compare them. The free version works great for this. Open the upgrade-folder and your backup-folder (you didn't skip the backup part did you?) in Code Compare.
* The Config-folder sometimes contains custom config, in my case specially umbracoSettings.config contains a lot of custom settings. Make sure to merge that over to the upgrade-folder (and not the backup).
* You need to merge in connection string and version number along with other changes you or a package may have made to the Web.config.
* Merge /Umbraco/Config/Create/UI.xml and /Umbraco/Config/Lang/*.xml if needed.
The Big Merge
Drag the content of your upgrade-folder into the root of the website you want to upgrade. When everything is uploaded, clear your cookies or open up the site in a new incognito window to run the upgrade wizard. When everything is up to date. Remove the Install folder!