Account Compromised

I have an empty account that got random PHP-files last two days. The only thing the account was used for, was redirecting visitors (a index.shtml) file only. So the /public_html contained only one file. So, there was no PHP-scripts on any files on the web-area that could have been hacked.

I'm using CageFS as well, so no other account should be responsible. The uploaded files has correct owner/group for the account. The uploaded files has been used in emails (links to PHP-files they have uploaded).

I removed the dir just to test and then they was able to upload again.

The only method that this should work, is if they have guessed the password and uploaded content. But I don't find anything in the logs to support that? What could possible be the cause of this or how can I best go forward? If the home-area had any script-files, I would just assume the scripts has security holes. But luckily in this case, there was none. So that narrows it down a bit.

• CLOUDLINUX 7.3 x86_64 standard
• cPanel & WHM 64.0 (build 18)

 

Update: I found that it was in fact used FTP to login. So somehow, they knew that info.