Then there is possibly a root type script (c99,r57 are just 2 there are many more) on the server, or one or more of these scripts on your sites that is allowing the hacker to sit at his computer and do as he wishes (server and all sites show up as a drive on the hackers computer. No passwords needed) with your sites/domain(s) or with the server. There could also be a cron job setup to make certain hacking edits/additions to your site.
You need to inform your host of the issues your having and the possibility of a root type script on the server. Just asking a host about an hacking issue with their servers will get nowhere. They will give a standard boilerplate answer of nothing is wrong with our stuff. This is what you already got in response, so don't ask; tell them there is an issue and a possible root kit installed on the server somewhere and they need to check their server for one. Certain hosts have had this issue a number of times in the recent past.
Your going to have to password protect the public_html directory of every domain and/or site under your account to start with. This may slow down or possibly stop the issue if it is an external access until you can fix it properly.
You must go through every site and delete every file and replace every file with known good ones. as the first point below suggests and security checklist 7 suggests. You should also check for cron jobs running assisting in the hack and you should make sure anonymous ftp is not enabled.
[ ] Delete all files and directories in your Joomla installation area which would be your public_html directory.
Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted in files and directories and or any added files or directories (may or may not be hidden within legitimate directories) not associated with your site.
[ ] Review Vulnerable Extensions List
[ ] Review and action Security Checklist checklist 7
to make sure you've gone through all of the steps.
[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.
[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.
[ ] Use proper permissions on files and directories. They should never be 777
, but ideal is 644 and 755
[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).
[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.
[ ] Ensure you do not have anonymous ftp enabled