I had checked all my crons, but i didn't see any suspicious... maybe is a bug of ISP config, i don't know.
Possible of course but not that likely as there are no known bugs. Check your logs if someone loggs in with ftp or ssh. Do the sites where the pages get modified have anything in common e.g. the same cms installed in the site. Have you updated your phpmyadmin, there was a bug some months ago which was used to infect servers. Also do you had all updates of your linux distro installed?