It's as if the hacker didn't even need to login to be able to access admin.php. Is it possible to forge a cookie that would bypass authentication?
On your 1st answer, does deleting everything mean logging to ftp and reinstalling XOOPS again all over?
as the hacker may have had access to my database password (from teh mainfile.php), do I need to reset teh database password?
Will installing the backup module be enough to backup the database now and restoring after reinstallation of making sure its the same version of php and mysql?