Sites hacked - what now?

I run a number of websites on a shared hosting account. On three separate occasions the sites has been defaced (replacement of the index file) by three different groups.

My questions is, how do I track how the hacker gained access and pinpoint the area of entry, so that I can do something about it?

The sites that are defaced are all accessible using one FTP account - other sites I run that aren’t accessible through that account aren’t defaced. It’s not a password issue since I have changed the FTP password on multiple occasions with no luck.

Also, I found files named “robert_you_suck” ( ) on the FTP, which has been uploaded by an unauthorised party.

EDIT: Found more files that have been uploaded. They all originate from a folder where Joomla is installed.

Any advice on where to get started on putting a stop to this is much appreciated.

The wiki has some information: