UPDATE: They're still here. Help me stop or trap them!

Hi SF'ers,

I've just had someone hack one of my clients sites. They managed to get to change a file so that the checkout page on the site writes payment information to a text file.

Fortunately or unfortunately they stuffed up, the had a typo in the code, which broke the site so I came to know about it straight away.

I have some inkling as to how they managed to do this:

My website CMS has a File upload area where you can upload images and files to be used within the website. The uploads are limited to 2 folders. I found two suspicious files in these folders and on examining the contents it looks like these files allow the hacker to view the server's filesystem and upload their own files, modify files and even change registry keys?!

I've deleted some files, and changed passwords and am in the process of trying to secure the CMS and limit file uploads by extensions.

Anything else you guys can suggest I do to try and find out more details about how they got in and what else I can do to prevent this in future?