[juanrossi]

I used to work for a web hosting company and we saw this kind of attacks ALL the time.

Most of the cases was because of old CMS versions, but in same others the computer uploading the files was infected and the FTP credentials were stolen (Change your user/password and analyze ftp logs).

I would also check the database and do a clean install of the CMS.

The server could be compromised but I don't think this is the case.

[themodelplumber]

Best answer I've seen so far. The takeaway from the guys on the front lines is usually that a full server compromise is rare and that FTP creds were stolen from a client via malware. The result is a simple drive-by that is relatively easy to clean up.