How have you restricted to a single IP? Even if you have, there are some nasty things out there that could take advantage of holes in php via Moodle ... remotely, requires no login/pass, etc. Dunno how accurate or current, but see: http://bit.ly/17Uynus
Version of Moodle?
Have you checked for the existence of non-Moodle php scripts in the moodle code folder or other web accessible folder/directory.
And what is behavior/appearance of the hack?
'spirit of sharing', Ken