The only way to block it is to track it down. If they are changing files that are 0644, then it really doesn't sound like a normal web based exploit, as those can only overwrite files that it can actually write to.
So that sounds like it's possibly coming via FTP, could be your cpanel or direct access to the server.
Really the only thing you can do is try and figure out where it's coming from. Timestamps are invaluable. You need to compare those timestamps with your FTP access logs if you can get a hold of them.
