I don't know whether it was a Drupal issue: I was running 6.14 and had a couple of modules that were one step behind on upgrading, but nothing that seemed too dangerous. All vistiors to my site are anonymous and can't upload any files etc.
Most probably your FTP account credentials were compromised. That's what I would guess. Or the server itself.
Is there anything I can do on a production site to make sure this doesn't happen again? Without knowing where the attack came from I'm a bit concerned. Would copying index.php to (say) front.php, get htaccess to use that as the default page, and create a dummy index.php fool an automated attack? Probably not.
Probably would actually. I'm not much of a hacker but I doubt they are that sophisticated.
Alternatively, does anyone know of a good monitoring service that would text me if a page on a site changes, so at least I know straightaway if this happens again, rather than it being up over a weekend.
http://acquia.com/ http://drupal.org/project/nagios
HTH