I don't know what to say. This is the first time that this has occurred to my knowledge, and might have something to do with the way you had your particular site set up. Where, for example, do you have your moodledata folder? What are the permissions on it?
It's good that you have copies that you can replace. That will solve the problem temporarily, but will not prevent future attacks, however.