What I meant was this:
Neither fixing the defaced files nor replacing them is patching the security hole. The issue occurs because your PHP/CGI does not replace all '<' and '>' with their HTML entities counterpart (< >
in dynamically generated text when generating HTML output. If your PHP/CGI has implemented this, even though people try to inject script sections into your HTML files, they will not become executable Javascript and at least the attack is not successful because browsers will not treat them as script and execute them (people will see some strange Javascript code on the page, but you should be monitoring such, right?).
Try search for more information online on javascript injection. There are many patterns for these kinds of attacks.