An FTP hack and a script hack are two completely different animals.
If someone is uploading material via FTP that are not authorized by you, then this means someone has access to your webhosting login information. How they got that information is unknown. Usually this means that you have malware running on your computer, either searching through the files on your computer for anything that would mention your username and password (an email, an FTP site manager, etc) or you have a packet sniffer installed on your computer, or perhaps somewhere on your network.
Since you said you are running Linux, I would think this would minimize the malware threat. I’m not aware of any such malware like this that runs on Linux, but that doesn’t mean Linux is infallible.
Are there other computers that have your login information stored on them? Perhaps one of those computers is infected.
What some people don’t realize, is that their own computer can be completely safe and completely free of any virus or malware. But if you log into your account from a public wifi hotspot, or at a public library, or any where else, the security of those areas has to be called into question. You’re computer might be safe, but if you access your FTP account from a library terminal that is infected with malware, then that can steal your information.
A script hack means that an outside visitor, someone accessing your website from the Internet, has taken advantage of a security hole in a script on your account.
From what you have posted in the logs, it looks like someone is trying to exploit your guestbook using the admin.php remote file include exploit - CVE - CVE-2007-1486 (under review) - which was fixed in version 1.7.3. The information you posted from the logs just shows that they are attempting to exploit this. It doesn’t necessarily mean that they are successful. If you are using version 1.15, you should be clear of this exploit. But again, this doesn’t mean that there isn’t another exploit in the script, but I don’t see anything being disclosed. Lazarus Guestbook is up to version 1.16 but it is in beta, so 1.15 should be safe of any KNOWN threats.
The only time these two types of exploits can be combined is if you have a script vulnerability that allows a malicious user to read the files on your webhosting account. And if you are using the same username and password in your script’s config files for MySQL access as your main webhosting account login, then those malicious users can steal that information and then log in via FTP.
You haven’t stated if you are using cPanel or not. I come from a cPanel background, so I will use it as an example. This may not apply to you if you are not using cPanel.
If you have a config file for your script and if the script uses MySQL databases. If, in that config file, you use your main FTP username and password, then a malicious user that exploits the vulnerability in your script (assuming that a script on your account is vulnerable), then that person can read this information and then access your account via FTP. Because all that is needed for FTP access is a hostname (your domain name, which they obviously know) and a username and password (which was stolen from the config file).
With cPanel you can create separate MySQL username and assign them passwords. The MySQL username that is created will have your main username appended to it (in order to keep MySQL usernames unique in a shared hosting environment) so if you create a new username, but reuse your same password, then again all of this information is made available to the malicious user that exploited your site.
Bottom line, always use a MySQL user for accessing your MySQL database, and never reuse your main account password.
Worth mentioning, the config file routine is not the only way a malicious user can glean information. If a malicious user gains access to reading the files on your webhosting account through a script vulnerability, then they could conceivably read any email that might also be stored on your webhosting account. If your login information is stored there, then again this information can be stolen.
I would be more concerned with how these IP addresses are getting your FTP information to log into your account. I assume you are using a strong password, something that is not hard to guess, in that case you have a vulnerability somewhere. Either on your computer, on a computer, or in a script on your website. You would immediately need to change your password, and tell nobody what the new password is. Don’t log into your account from any other computer, and note if you have to change any configuration files because of this updated password. If your FTP account is compromised again, then this will help narrow down which computer or which system is vulnerable.
It is possible, although highly unlikely, that your webhosting provider has been hacked and someone may have root access on the server. I say unlikely because your host should be seeing a number of infected websites on their server if they have been rooted. And generally a rooted server is not used to upload malicious links like you have stated. If someone has root access on a server, then they can do anything to that server, including deleting everything.