rogerd - 5:16 pm on Apr 16, 2012 (gmt 0)
The intrusion seems to be confined to a single domain on that VPS. I had some work done on the site a few days before the files changed, and I'm guessing that there was some vulnerability on the coder's end. Even if he wasn't the source, he may have been hacked himself, had his login compromised, etc.
I deleted the coder's credentials once the work was complete and stable, but the intrusion (whether related or not) happened before that deletion.
Could be a coincidence, of course, and I don't rule out other possible hacks.