Hi Eli -
Well it took longer this time, but the hack is back. I went into the root directory and removed these files:
h-s.txt
s-g.txt
starting.php
Then I deleted the .htaccess file & regenerated the permalinks. After that I changed permissions on .htaccess from 640 to 440, although if the hack script is writing as "owner" maybe they have code to change the permissions back to 640 if they need to.
Would you please take another look at this to see why this continues to occur?
Mahalo,
Cynthia