It occured to me that perhaps I should write something about how the hack happened. I actually have not dug into this seriously, but my old site did have a file upload function as well as a bunch of home-made comment posting facilities. I strongly suspect the file upload, especially since the majority - five out of seven - of the files were in the two directories the uploader could put things in. The last two files could even be false positives as they are totally out of the way of most other things.
I have packed all the things I downloaded away nicely, so I can always take a closer look in the future. Especially at that cron.php file which sure looks like a major enabler of other things. It would be fun to try and figure out what if anything someone hoped to gain by breaking in. I suppose an extra host in some nefarious network of one kind or the other seems a good guess. There sure is nothing up there worth stealing, and they clearly did not want to just mess around and sabotage stuff either. That makes it all more of an interesting thought experiment for me, and a good lesson learned in a minimally harmful and disturbing way.