The article mentions a compromised user account so the attackers were probably able to just upload files directly through the compromised hosting account. Plus what's interesting is they don't mention the server itself being compromised. I'm wondering if this was a permissions issue that allowed the attackers to traverse directories on the server to the other hosted sites.