Everyone's jumping on Zapk, but - while I do believe it's him as well - we don't have solid proof he injected that code into Slayer.
The timing of his deleting index.php is suspicious, yes - but it could have been Greek2Me. He knows Slayer and would know what components will always be run when Blockland starts, and he knew the FTP password, even before Zapk deleted index.php. It could also have been any shunned or banned user who happened to stumble across the ftp.txt file at the exact wrong time.
Strictly speaking, it even could have been me. It wasn't, but I have no proof of that fact. It also could have been anyone else who knows how to code a doomsday bomb.