I’ve cleaned it up, and just want to first, share the info, and second, share some great info Dreamhost support and abuse/security team got me. We determined the ftp/sftp password was compromised somehow, because upon specific request they got me the logs of ip addresses and connect times for (s)ftp and ssh. Very useful info, and it pinpointed the security breach! The times an unknown, out of town, ip accessed ftp matched the times on the hacked files! It was a poor password, so could have been a dictionary attack, or since we have half a dozen people who need access, it could have been a compromised user machine.
In any case, THANKS dreamhost, for the detailed log info. It really helped pin it down.