happened to one of my sites once. The idiot didn't even hack my site, he just used some script from some other site that made it possible to edit my files.
I had my site set up so the adress bar determined what pages would be opened (e.g. "http://whatever.com/?page=blah"). He just replaced blah with the whole url to his script. I fixed it in like 2 secs, by appending "./" to all pages before showing them on the site. That way nobody can do the same thing to it again