There are some very common exploits on many php web apps that can allow localized attacks on both windows and linux servers.
you did good in checking FTP every since the first major Adobe exploits ~2 years ago there have been a huge number of FTP accounts compromised on the client side, even though it wasn't the access route it seems for you, it is a very good first place to check.
Other places my include webDAV logs if you have any webDav server, and FrontPage logs if having FP authoring enabled. (both windows and linux servers in these cases) these many times can use the same ftp credentials but are a harder to trace 'hack' due to the fact they are lesser used.
Mostly outdated versions of wordpress/joomla could lead into accounts hacks and if server is not secured enough, defacing could be for all sites. No matter your passwords are strong if there is a backdoor