Before replacing the compromised files with a fresh copy, anyone hacked should save the old files via tar or zip. It's important to save the exact timestamps on the files. Also, take a note of the exact last modified time on the hacked file. It would be wise to save your web server logs from that time, at least 20 minutes before and 20 minutes after.
As Howard said, this indicates improper permissions on the files, allowing the web server to write to them (or suexec, which permits any visitor to edit any file on the site). Along with permission to edit the files the attacker must have had a mechanism to do so, probably a flaw in Moodle. That second part, the mechanism, is something the Moodle community should address.
Victims can compare logs and a pattern should emerge with some hints as to where the flaw is. If anyone has POST logs, that would probably be immensely helpful.
PS - I said it' most likely a Moodle flaw. It could also be that all victims were also running some other package like Wordpress or Joomla and the flaw providing the mechanism is in that other package. Comparing server logs would prove or disprove that.