Our cPanel server was hacked with a code injection attack, and after killing any extra ftp accounts I discovered that the hackers were using the ftp account that is automatically created by the Site Backup provided by GoDaddy through Dropmysite. I deleted the Site Backup FTP account and the attack stopped, and I turned off backup of all my directories.
However, site backup still re-created the ftp account and the attackers came in through it again. I deleted it again and stopped the attack again, but I had to get GoDaddy to remove the site backup service from my account before Site Backup would stop re-creating the ftp account and allowing the attackers in again.
Obviously the attackers know the password scheme that Site Backup uses for their automatic ftp accounts.
The attack vector they are using is a stealth PHP code injection attack. I would advise anybody using Site Backup to immediately check your site. Look at the PHP files, especially index.php files if you see a bunch of Base64 code using the eval construct that is usually what is in the index files... other variations in other php files, then your site has been attacked.
GoDaddy was not real helpful, they suggesting I subscribe to their site protection service....