Sucuri does scan files that are publicly acessible and not all files on server, for that you have to scan them via a malware scanner.
i can recommend http://virusscan.jotti.org/en & i have used it a lot of times. dont upload sensitive files like wp-config.php there though.
FTP and SSH are only accessible from my IP. All passwords changed.
this is good thing, but someone was still able to upload a file.i hope you have a Anti-Virus or something similar on ur system too.
you should download your database and get it scanned too ,also check if any of your plugins has a known issue.
The problem is this: I don't know if a hack has even taken place, and even if I did, I do not know when it took place...so not sure what backup to restore.
did you noticed modification date next to the suspicious file? that would have been a clue and you could have scanned all files on server which were modifed in that week and after that.