My website was hacked - figuring it out

So, quite to my amusement, my dreamhost website was hacked: www.krisreed.com . No real harm was done. The site had nothing important on it--just a CMS that I am programming (of which the most recent version is on my hard drive). However, I am quite interested in figuring out how he hacked it, in order to prevent it in the future. My questions are at the very bottom if you would like to peruse them first.

Note
There is a nice page on the wiki: http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites about what to do if your site was hacked

The name given on the hacked page is Cyb3erking, which, from a google search, seems to be a Turkish hacker. Now, my goal is to figure out how he hacked my site. I am putting this up here for anyone to add their 2 cents in.

So, here are the facts:
The only file that seems to have been affected is the index.php file, the content of which were completely replaced with the string "By Cyb3rking".
The "modified" property of the file still says the 20th of October, which I believe corresponds to when I uploaded it.

Now, my ftp password was really weak, so it is quite possible that he cracked the password on it. However, I looked up the access log, and I got this:

(executed the command "last -i | grep kristoph" while SSHed in)

kristoph pts/0 98.206.92.143 Sun Nov 1 20:25 still logged in
kristoph ftpd6501 98.206.92.143 Sun Nov 1 18:31 gone - no logout
kristoph ftpd6446 98.206.92.143 Sun Nov 1 18:31 gone - no logout
kristoph ftpd26494 98.206.92.143 Sun Nov 1 09:59 gone - no logout

(the pts/0 entry is the ssh login I was doing to read the log file)

Notice that all of the entries are from my IP address, so 18:31 UTC-8 must be when I was FTPing in to see how the hack was done.

I also checked the HTTP access logs, and I have this (portion of text from my log file, stored in ~/logs/krisreed.com/http/:

66.249.67.196 - - [01/Nov/2009:01:32:02 -0800] "GET / HTTP/1.1" 200 277 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
67.202.60.234 - - [01/Nov/2009:01:48:59 -0800] "GET / HTTP/1.1" 200 214 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090926 Iceweasel/3.5.3 (Debian-3.5.3-1)"
67.202.60.234 - - [01/Nov/2009:01:48:59 -0800] "GET / HTTP/1.1" 200 214 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090926 Iceweasel/3.5.3 (Debian-3.5.3-1)"
66.249.67.196 - - [01/Nov/2009:09:03:36 -0800] "GET /robots.txt HTTP/1.1" 404 494 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.67.196 - - [01/Nov/2009:09:03:36 -0800] "GET /layout/layout.css.php HTTP/1.1" 200 3847 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.67.196 - - [01/Nov/2009:09:04:41 -0800] "GET /cjcms/editors/cjcms/editors/editors/xinha/XinhaCore.js HTTP/1.1" 404 513 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.67.196 - - [01/Nov/2009:12:12:07 -0800] "GET /cjcms/spages/ HTTP/1.1" 200 561 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.67.196 - - [01/Nov/2009:13:17:00 -0800] "GET /cjcms/cjcommon/ HTTP/1.1" 200 627 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
98.206.92.143 - - [01/Nov/2009:18:31:07 -0800] "GET / HTTP/1.1" 200 277 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.3) Gecko/20090920 Firefox/3.5.3 (Swiftfox)"
98.206.92.143 - - [01/Nov/2009:18:31:07 -0800] "GET /favicon.ico HTTP/1.1" 200 270 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.3) Gecko/20090920 Firefox/3.5.3 (Swiftfox)"
98.206.92.143 - - [01/Nov/2009:18:31:11 -0800] "GET / HTTP/1.1" 200 277 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.3) Gecko/20090920 Firefox/3.5.3 (Swiftfox)"

Now, there are two hits at 1:48 UTC-8 from a 67.202.60.234 (which is in Turkey). I am assuming this is him. He apparently uses Iceweasel (and more-OpenSource version of Firefox). All the other entries for that day (up until I checked it at 18:31 UTC-8, everything afterwards is ommited) are either googlebot or myself (the "Swiftfox" entries).

So, basically, besides the two HTTP log hits, I don't have a record of him doing anything (besides loading my page twice). I would expect an FTP login if he did it via FTP, or an HTTP log of more meddlesome activities if he had compromised my CMS. Neither are found.

Questions:
Could he have edited either the FTP or the HTTP log files to cover his trails?
How else could he have done this hack?
Is there anything else that I can check for?

Of course, any other insights, thoughts, or questions are appreciated.

It looks as though the attacker managed to find an improperly secured rich text editor in your CMS. There are some older hits from a Turkish IP (78.172.180.110) in your archived logs for 2009-10-30 that indicate that they used the ImageManager plugin of one editor to upload a PHP script, which they then ran. I've placed a copy of that log file in your home directory for your perusal.

FWIW, users can't edit their own web log files for exactly this reason.