The passwd file is world readable, so anybody with a shell can copy it to /tmp and do what they want. Was the nc1 file not an executable or could it just not be executed because of the /tmp permissions.
If the people with the shell access are trusted, maybe this happened through a web application vulnerability, or one of the passwords to a user was compromised. It would be hard to tell without having access to the system to take a look around.
Could you give a list of the files in the .std directory? It might help solve this.
You should have kept a backup of it. Oh well, nothing you can do now.
My gut instinct would tell me that it was not a successful attack. Nevertheless, you should have all passwords changed on the system. Keep an eye out for future attacks, because the attacker will more than likely attack again sometime soon.