Scripts on site changed... cause?

[Orthoducks]

Some additional notes.

I looked up DNS poisoning, and it's certainly possible, but it's not clear how I'd diagnose it or fix it. I don't even know how to find out what DNS server would be involved. The hosting service is large, and may well operate its own DNS server, which would explain why I'm having problems with two different domains on the same host. Again, though, it's not clear to me how DNS poisoning could lead to modified files in my address space.

I couldn't find any clear references to "back shell," but there were references to "connect-back shell." I gather that's a shell that automatically connects to a user when it's started. I don't think there is such a thing on our server; we're not supposed to have shell access at all, so I'm quite sure there isn't supposed to be!

All of these break-ins look automated to me: a little code was appended or prepended to index.php or .htaccess. There's no indication that a human hacker has ever looked at one of our sites. That's consistent with my belief that nothing like a call-back shell is involved.

Up until now I thought the host simply did not support secure FTP. I just discovered that they do, but it's disabled by default -- you have to request them to turn it on. We'll be doing that, if we stay with the host long enough for it to matter!