Yeah this will be fun. I've had a bit of experience fighting hackers myself (some hacked into our servers where I work).
Most likely cause: somewhere in the site the "get" and "post" variable inputs are not being checked, and so the hackers probably got access do the database and used SQL injection to discover admin passwords, logged in as an admin, uploaded some scripts and defaced the site.
