We've only had 1 security issue since 7.0 was released, which this patch addresses. So make sure you have that patch applied.

Any importer scripts should be removed after they have been used, so the entire importers directory can be deleted.

Usually if it's a php script that's causing the issue then it's pretty easy to track down. What you need to do is get the timestamp that one of the files were hacked. Using that timestamp you can look through your webserver access logs for that same timestamp. You can normally see if there is some script being called in a peculiar way at that same time.

As far as being able to change the permission on files. If files are read-only and the webserver doesn't own them, then normally the only way you can change those is via FTP, domain control panel, or direct server access.