With what do you support that conclusion?

To write a file as nobody:nobody to an open directory on a file system with a web server on it only requires a single insecurity in a web script (.cgi - whatever that means, .php, or anything else that responds to remote input). To assume that this came from an oob source requires a slightly higher level of sophistication.

I am not saying it could not be from an oob source, just that the liklihood of it coming from an insecurity script is much better than an oob source.

Until more information is available, however, this is all just supposition.