[yogo]

Is the site hosted on a shared hosting plan? I've seen similar attacks to this on GoDaddy and HostGator where all evidence seems to suggest that it was either via ftp access or compromised cpanel. Cpanel was definitely compromised on hostgator several weeks ago.

[t0]

It's almost always the result of password guessing. The code injection happens after they get in and isn't really relevant to the attack.