Iīve got 4 old websites in classic ASP. I recently found out that some files on the websites have had spam links (I think itīs some chinese links) added in the file for several months.
They are all on the same hosting company and they all got these links added on the same date.
The websites does not use any CMS like Joomla or Wordpress.

The code is protected against sql injection by clng and by the use of replace for some characters.
One of the websites have no forms at all except for the administrators login form.
The others only got contact forms where the content is e-mailed, not stored in the mysql database.

There are no page where the content entered in a form is written out on the screen. Itīs only used to send the contact e-mails and to check if the login in correct.

The links was added in the files, not injected in the database.

More than 90 days passed so I canīt see anything in the ftp logs.

How can this be possible?