Your welcome Luca!
I wouldn't necessarily blame Moodle for the hack. Its possible that a shell script could have been uploaded to your server that allows access through a base64_decode control panel. The file could have been uploaded to a directory thats outside of the Moodle installdirectory . The hacker would be able to add malicious scripts anywhere on your server.
If you can contact your hosting company, they should be able to scan your files through shell and find hacks. This is common request at InMotion hosting. Wordpress is infamous for having hacks uploaded to the server due to out of date themes or plugins being used with a newer version. I hope you can get the hack removed.