If the server is configured properly, then 777 is fine. If your configuration allows lowering it to 755, that's fine too. If the attack was caused be some other vulnerable script on your account, having it at 755 wouldn't have helped. If there are no other scripts and files are still being written, then your host needs to look into it as files are probably being written across the entire box. Without looking at logs, everything at this point is pure speculation and should be treated as such. As with all incidents, please continue this discussion in the Incident Tracker
if you have further questions.