FTP could be another hack, Gumblar works on the princple that the file download offered (usually a pdf) is the infection point and what steals passwords and logins to FTP and then logs in, grabs the index page, modifies it and then uploads back to the server.
(SO go now, change your login to your server, if that cures it, then consider moving all your development to a separate user account on your computer and keep one user account for web surfing, etc. Safest policy if you work on one machine but also surf from it)
check with the web host company that they have not done this or if the server has been compromised by a new client, etc. Poor back end security and a buggy PHP and SQL all go miles to helping the hackers.
Check what PHP and SQL versions your running on. Your hosts running PHP < 5.0 then you possibly are being hacked through PHP itself from a known security bug that allows for server-side hacks to be made. MySQL is another technology that people will hack and inject data in to if they find hackable or exploitable PHP installs.
So start asking questions of your host and if they have any server-side firewalls, I am not talking about what is on the outside but internals, do they have a firewall policy between servers and networks connected to them or are they an eggs in one basket host? (in it for the money)