What exactly do they do to your site?
If they place new files, check the timestamp of those files, then go through your webserver logs to check the activity around that timeframe. That might give you a clue on how they exactly do it.
Nobody has your admin password(s) by any chance? Did you change them after a restore? Same for your FTP password?
0 replies