Well, if the user gained access to your website control panel, database or ftp server, then he can easily bypass the SilverStripe security measures. I suggest you do the following, before trying to further shut-down/blame SilverStripe:
- Change password to your Control Panel
- Change password of your FTP Access
- Ask your hosting provider for an FTP access log. Look for suspicious IPs
- Disallow any database connections other than from localhost (should be the default, but you never know)
- Change DB password
- Look for suspicious cgi or php scripts on the server
- Just to be sure, re-upload all your php files from a local, uncorrupted copy of the site
Update AFAIK if there's no admin user in the member database, one will automatically be created with username admin and password as password. What do you see in the CMS Security section after running /dev/build?