Since then... he/she/it also hacked my gb script. I've always known my scripts weren't all that secure... but this was ridiculous.
Then suddenly I figured it out, it's soo simple. Thus I thought I'd share it with you so that no one else makes my silly mistake.
I kept the admin password/username in a textfile in the folder tree of the script... no problem if no one knows the folder name and they can't surf your site's tree freely (placing index.html in all folders)
But my error... I had 2 small images in the script for email and sites... and well... click on image/properties and you know the name of the folder where it's from. Once he knew that... it was easy to find the textfile with the passwords.
Thus conclusion... don't keep your images next to your passwords! hehe
I'm testing new versions of the scripts now, in case I am wrong and that's not how it was done... one of these days I'll start using .htaccess