Thanks for this: I've signed up for Sucuri and a few other services to try and get a quick alert if this happens again.

Luckily, it seems that as I was running Boost, people only saw the cached static html files and at no point hit the defaced index.php - which explains why it took a while notice.

I'm pretty sure now it was an FTP attack and nothing Drupal related: I'm running Kaspersky which didn't pick up anything, but MalwareByte's AntiMalware picked up memman.vxd which looks like a Trojan. Icky.

Hi David,

You asked for a monitoring solution that will alert you if your site is modified or gets hacked/with malware.

You could try http://sucuri.net. That's exactly what it does :)

As far as your malware problem, we are seeing a large number of desktop virus stealing FTP/SFTP credentials stored on FTP/SFTP clients.  Have you changed your password? Are you running a good AV as well?