How the darn are they able to list my /home?

view full story

http://forums.cpanel.net – One site on my cPanel got hacked through the web. I've closed all ports except 80 and 443 on an external firewall so I'm pretty sure everything's executed through web and not ssh. The hacker(s) created a directory called "a" inside the public_html folder for the user. Inside this directory I found alot of automatically created aliases that matched other users from my /home/. I have mod_ruid2 so I don't understand how they managed to do this, I thought ruid2 locked the user to their /home? Also inside this folder I found three tools/scripts: Python: http://pastebin.com/Zqn6U4VwPerl (HowTos)