"How does someone place these files in my wp-content folder without me knowing or giving permission?"
Once you've granted "writable permission" to your content directory, anyone with the even the basic scripting skills can pretty much put anything they bloody well like there.
This is unfortunately quite a problem for most installations. If you're in a SHARED environment, you should check that your hosting provider (if they use Apache) is using the PHP directive "open_basedir" for ALL their virtual domains, assuming your website is running in a shared environment.
If your ARE in a shared environment, and your hosting people ARE using Apache but they're NOT implementing the "open_basedir" directive (usually via vhosts.conf), then you're asking for trouble because your 755 mask will NOT save you.
EDIT: I forgot to say that the reason I mentioned the "open_basedir" directive is because I STILL encounter hosting providers who don't bother to set it.