my friend's website got hacked somehow. The index.php page got inserted an extra line of javascript, which redirect the page to another website. The index.php is just a text file not managed by any CMS. he has changed all ftp/ssh user password. Somehow this is still happening.
Any hint on what might be the cause?