Javascript Injection

I have an unmanaged VPS and limited experience of server administration. I have had it for over 12 months and in that time I have learnt a lot but of course there is so much more I don't know. I assumed that when I got the server, it would be supplied with all the security holes plugged and would be ready to go. During my learning period I have read about and implemented numerous fixes and thought I had this server thing licked but this is not the case. Recently, a couple of my sites had all the .htm pages overwritten and a javascript redirect inserted. I done quite a bit a reading about this and in most cases, a rogue or poorly written form script is to blame. I suspected this to be the case at first, but the latest one to be hacked does not have any form scripts and only uses a Perl script for serving a randomised image display. Root access is turned off and I change the FTP passwords regularly and they are always auto generated. I am the only person with access to the host machine and it is checked regularly for viruses, malware and other such nasties. Please be gentle but how do I set about tracking down how an outsider can over write files on what should be a fairly secure server?