First, check FTP transfer logs about index.php and check IPs of connections - are they from foreign country like China, Russia etc. If true - change FTP password, clean site and malware-scan all PCs where password was used/saved. It is quite common for malware to steal saved password or include keyloger, which are sent to intruder and used to make sites distribute/host malware. Also, remember FTP sends all passwords in plaintext, so dont use it open wifi or other untrusted networks.
if that does not work, check site for:
a)file upload scripts. Check for file paths/path validation. Also, check that file type is really validated, not just extension . Apache mod mime has insecure "feature", so files like
evilscript.php.gif will be executed as php.
Ref:
"Care should be taken when a file with multiple extensions gets associated with both a MIME-type and a handler. This will usually result in the request being by the module associated with the handler. For example, if the .imap extension is mapped to the handler imap-file (from mod_imap) and the .html extension is mapped to the MIME-type text/html, then the file world.imap.html will be associated with both the imap-file handler and text/html MIME-type. When it is processed, the imap-file handler will be used, and so it will be treated as a mod_imap imagemap file."
Solution: disable php on directories, where uploaded files are moved.
b)include|require (_once) . They can be used for remote file inclusion, so attacker can write php script, which will be executed at server and can change/delete files. Look for something like include ($_GET | $_POST | $_COOKIE | $_REQUEST | $_SERVER)(.?*)
Solution: disable remote_fopen, if your site does not need them. Otherwise, do same proper input validation (Which would be sane thing to do :). Also, i suggest to disable register_globals.
c)Eval`ed user input / remote files. Remember that user input can reside at database.
Also, check your site for uploaded backdoors, so called "shells". Most secure thing to do is to restore from known safe backup :)