Had the same problem where all the websites under my hosting package were compromised by these annoying *r*eholes.
After going through log files and checking for rootkits etc it was discovered that one of the sites under my hosting package was running an old 2007 version of OS Commerce which had a security hole.
After a forced attack to gain access to the admin console, the hacker was able to modify the logoff.php file which enabled him to go up a directory to the main root of where all my sites were.
Luckily for me, mostly all files were still there however they had replaced the index.htm files with their own or added an index.html file or an index.php file.
I'm in the process of rebuilding the OS Commerce site with a more secure and up to date version however deleting the site (or deleting the logoff.php file) removed the threats.
I hope this helps...