Well, the latest update is that our host has our site up and running again - Yayyy!
So a hacker I asked to look at the site has told me that they can get in by SQL injection. I did some reading and found an update that we didn't have in place around the geo-zones page, so I have implemented that. Here it is for reference:
I have spent the day phoning cyber security experts to get someone to do a penetration test for us, which is crazy expensive in my country, so I might have to look internationally. several people I talked to don't believe there was any link between the email we received and the web site going down, although they did find malicious content, so the site may have been hacked by others in the past. Their theory is that if someone installed malicious content, the last ting they would want to do is warn us. I guess I will never know, but I'm still waiting on my host to give a report on what they actually found.
I ran our site through the link Jack posted above and is shows fail on the following:
Your admin appears to not be password protected. This may be a serious security problem (some secured admins may return false results).
Your images directory is not
Your includes directory is not
secure. This is a serious security hole and needs to be fixed immediately.
However there is another site of mine on the same hosting account, with an identical install of OSC (different products but same store files and setting) and that shows as a clean pass on everything. I have checked one by one and my Admin is secured correctly, My image directory is secured correctly and the Includes directory is secure too, so I'm hoping there is a false positive for some strange reason on this site. Now I'm paranoid about everything.