I suppose that your site was hacked using the same method as some thousands of other sites during the past years but with fresh code - http://moodle.org/mod/forum/discuss.php?d=139382 - and settings, passwords and permissions of your site should be checked right after upgrading... If you use in Google your site name with some selected words like hack, buy etc you might find some links and the folder where attackers have placed the attack files - like Tim said it is not usually just one file (index.php) that has been hacked. usually there are a couple of attack files in some new folder that does not belong to the original moodle (if you had the same fresh version of moodle somewhere you could compare the files and folders with some tools like WinMerge to find the new folders and files. In step 2 attackers start using your site for spam and then you may get some hundreds of new files and a lot of new traffic on your site logs.
Upgrading process depends on your current way of install - if it is not CVS install you can download the needed files from http://download.moodle.org/ or http://download.moodle.org/stable19/ (older versions) and read also http://docs.moodle.org/en/Upgrade . Basicly you can simply rename your current moodle folder to something else (unless if it is root folder or CPanel install), add or rename the new unzipped package to your old moodle folder and copy the old config.php (+ old theme & custom activities if they are checked and clean) to you new moodle folder. Then back to your moodle site, login as admin and press Notifications or go to http://yoursite/admin/index.php if upgrading does not start automatically. Take backups before upgrading to be able to revert changes if something goes wrong. If everything looks normal you can then delete old files of moodle 1.9.4 from renamed folder - and most likely also the hidden attack files with them.
Upgrading moodle with CPanel can cause some troubles but start from http://englishforum.sgu.ac.jp/moodle/mod/resource/view.php?id=387
Note that if the attacker has a functional c99madshell in use (on your site/server) he/she can change also permissions of files the same way as you can do it yourself through other file managers & attacker has access to all of your files and therefore it is essential to get all extra files cleaned, not just upgrade moodle - or the attacker can come back any day he/she wants.
Read also this report carefully: http://docs.moodle.org/en/Security_overview
EDIT: and one more note - if your site has some other CMS like Joomla or WP it's good to note that any (php) files on your site may be injected, not just files of moodle... original attack could be done (and often is done) using any security hole in any program on your site.