my friend's website got hacked somehow. The index.php page got inserted an extra line of javascript, which redirect the page to another website. The index.php is just a text file not managed by any CMS. he has changed all ftp/ssh user password. Somehow this is still happening.
Any hint on what might be the cause?
The website in question has a vulnerability, which keeps getting exploited. Your friend should check the access logs at the time of index.php's modification time, and find which scripts are vulnerable, and fix them.
It's pretty hard to sure that the server is no longer compromised.... So unless you re-install there is no certainty that the hack was removed (The absence ob evidence is not evidence of absence).
What type of server is ? If linux I would recommend creating a statically linked lsof on another machine and then run to see if you find a suspect process that might be replacing the file from time to time ...