First, run a WinMerge compare of your master file against the 404.php which is online (download to a different directory, of course). That will show exactly where any and all differences are.
Okay, your 404 is simple enough that all you need to do is LOOK at the code of the 404.php script you download. The <script> at the beginning does not belong there and is a hack which is using your website to send SPAM around the world (your host should have picked-up on this already and disabled your account).
Anyway, if you find evidence of a hack (like scripts which you did not put in the files),
1. Immediatly delete all FTP access except one (master for the account).
2. Change the master password (cPanel and FTP) to a VERY STRONG one using an http://strongpasswordgenerator.com
password of sufficient length.
3. Use maldet scans (on an Apache server) which find and report all forms of malware (viruses, worms and SCRIPTS which can cause problems). This will enable you to find and remove scripts which can be embedded in html, php and js scripts. Repeat the maldet scans until there are no files detected then add a CRON to run maldet scans on a regular basis. Be aware that recovery will primarily consist of DELETING all html, php and js files and replacing them with originals (from your master copies).
4. Additionally, I use a CRON to SHA1 hash verify that files have remain unchanged over the last xx hours for "peace of mind."
5. Database: If you are running WordPress or the like (database verification for admin accounts), create a new admin and delete all other admin records.
6. Uploaded files: Be sure to do a thorough check of any file uploaded to your website (I limit uploaded files to images and they are resized by GD before being saved to my "webspace").
7. Update all "canned scripts" (e.g., WP, Zencart, etc.) and be sure that they're kept updated in order to prevent further attacks via security problems discovered in those scripts.
There is a place for penetration testing (with a tool like BackTrack) but it is something best left to the sysadmins of your host (or a security professional if you own your server). In fact, you must not use those tools or techniques on others' servers because you will be identified as a hacker, your IP address will be blocked and you will be reported to authorities for prosecution. The anti-hacking laws are beginning to be enforced and you will (and should) be harshly punished.
The important point, though, is to get on it as soon as you see something amiss (like all your 404 requests).