Security hole with 2.0.4?

I’ve been running a small personal blog site for the better part of 10 years, and have never had any security-related problems. Last year I converted over to WordPress, currently updated to 2.0.4. Today when I pulled up my site, I saw this page:

http://steveperkins.net/index-old.php

I immediately figured this was because I got lazy and left my theme files writable, so I could edit from from the admin interface (that feature should just be removed, it’s asking for trouble!). I restored the “index.php” from backup to my theme directory, and set everything there to read-only again.

However, I did some further poking around and found that the “index.php” files had been overwritten for the themes that I was not using… even though those files were NOT set with writable permissions! I’m not sure how that happened. Are there any known issues with 2.0.4 that could be exploited to overwrite theme files?