As was said before the files usulaly 4 php files named different things and a htaccess file are placed in the directories ive read about this today happening with phpnuke and other CMS it makes your site or the albums URL redirect to carious Russian search sites.
This is the content of the htaccess file that is in the directories:
Options -MultiViews
ErrorDocument 404 //home/modules/xcgal/albums/killer_thriller_party_2002/create.php
Each one differes with the php filename I looked in the php file and its just php code i dont understand.
I have protector installed and it was installed when this attack took place, but protector just isnt the protector i dont think, it might protect against some sql injections or high loading bots but it simple boils down to the fact that some folders within XOOPS have to be writable chmod 777 which is just not secure.
Xoops = King Of CMS