Well, you really do need to find the source of the intrusion. It's possible, but not always easy. A log file is probably going to be your best bet. The software you're running on the server could have been susceptible to an attack, such as SQL injection. It's really far more common than most people think. Alternatively, but less likely, the intrusion could have come in from the network level.
I would start by checking the FTP logs. Given that those were the only files to go and the database was left in-tact, there's a good change your FTP access was compromised. Even if you change the FTP passwords and the system is vulnerable, the hacker could find the FTP credentials and simply start all over again.