4
i like their html page, lol, and that was nice that they didn't delete anything. change ALL your passwords, to the database, webserver user account, etc etc
sounds like it was a flaw in the actual server
try to contact the hackers, ask them how they got in. this is needed info for the xoops.org community, to make sure it wasn't via the CMS
usually hackers (especially polite ones like that, lol) like to tell how they got in, showing off