Instronics and Muracu, that's a lot of very helpful information. (My only criticism is that there's no real connection between it and my easily misinterpreted comment about a "back door!")

Some specific responses:

Saying that you are certain that these modifications are not done by hand...
The lawyer in me says I should point this out: I didn't say that; I only said that they "look automated to me." I detest people who claim to be certain of things that are merely possible or probable, so I'm sensitive to imputations that I have done it myself (and I am mortified when I actually do it myself)!

Out of interest... you say the modified code redirects you to some suspicious site? What site is that?
There has actually been a fourth attack since my OP... same domain, same technique, different site. The first one was The second was; the full URL was

I've set permissions on both .htaccess and index.php to 404, which I hope will stave off further attacks until I can resolve the root (pun intended) problem.

He allows FTP access without encryption??????
Not merely allows it... practically requires it. I didn't even know SFTP was available until I stumbled across the fact on another blog while researching this problem. My reaction is about the same as yours, although I confess that I shrugged it off until we started having problems.

In any case... you can not solve the issue without having root access to the host machine...
That's pretty much what I wanted to confirm. It sounds like the only thing I can do on my own initiative is demand SFTP access, and I can't even get it without the host's cooperation.

One more thing... you mention that you are thinking about going for a dedicated box. Do you have the means of securing & administrating this properly?
No, we most certainly do not. That is what has deterred me from recommending it up to now.

If we do go to a dedicated server, we need to find another host who will provide one while retaining responsibility for system management. I recognize that that implies the host will retain a great degree of control... we can't expect them to be responsible for system management if we have authority to fool around with the HTTP server's configuration and such. That's not a problem for us... lack of security, and lack of ability to control things like php.ini, are problems.

...check the time stamp on the script to see when it was modified if possible.
I did that, and found that the break-in was not logged. I infer (but cannot prove) that it was not accomplished through FTP.