It sounds like you probably just need to change some passwords.. more than likely they were successfully brute forced via ftp and that's how the files/content is getting uploaded.. or you've got some CMS system that allows remote injections to put in malicious code from an outside source; i.e. an sql injection or a php array that's not structured correctly and is calling up HTML/Code from an infection source. Did you examine any of the files that it found to see what exactly they were doing and where they were getting the source data from?
__________________
21 G05 > 20 G05 > 17 G30 > 14 F30 > 08 E90
|