Javascipt injection

[Craigii]

Not sure if this is the right forum, but my pages are written in ASP. I am really stuck on this one. My pages are locked down against SQL injection, but every 4-5 days a javascipt include keeps getting added to my pages. The strange thing is that it is physically on the page, not in the database. I have changed all passwords, so that can't be it and it is happening on more than one server. The script link that it creates is to a malicious site, but not the same one everytime.

Does anyone know how I can prevent these types of injection? How are they adding it to the physical page?

 

[BigRed1212]

Somebody's robot coming in through FTP?

Are all the servers hosted at the same place?

 

[Craigii]

They are hosted at the same location, but the sites are on different servers.

 

[MarkZK]

Same passwords/usernames for each site ?

 

[Craigii]

No. Different ftp usernames and passwords for each server. It only seemed to be on one server, than they got the other one last night.

 

[MarkZK]

Are they high traffic sites ?, also, are you hosting at a reputable, well established, trusted host ?.

The fact that the script tag is being physically added to the asp page would make me start asking the host questions, ask for FTP logs for your sites.