Did you manage to find out how the initial exploitation vector was? That's the most important thing to figure out. If the hole isn't fixed properly you might just get pwned again.
The timing of these issues makes me think of the recent mod_cgi PHP command injection vuln:
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
I was discussing this earlier today with a colleague. Why run PHP as a CGI under *nix rather than a compiled so or compiled into the httpd? On Windows I can see it (FastCGI,) but on a *nix machine I just don't see an advantage.
