Do you by chance have the forgebox module installed?
If you can get a date/time created on those files, you may be able to match it against web server logs to see what kinds of requests came in around then.
I wonder what the chance is that someone else on the shared host is the attach vector, and the hackers were simply able to access the entire file system.
ColdBox Platform Evangelist
Ortus Solutions, Corp