One of my clients' sites was hacked and a malware javascript was injected directly into the index file and other files. The site uses my own CMS which doesn't have a file manager portion. The database was clean.

The hacker actually managed to change the index.php file and the other page files.

How do they get access? I don't know what the CHMOD is on the root directory because I don't have FTP access to the server (I did, but this is a paranoid client and she changed the password right after I uploaded the site). Can a hacker access and change files if the permissions are set badly?