Was the site hacked or not? Sure it was, through persistent cross site scripting (XSS). Some guys inserted comments in a feedback section of the site which was saved in the db and displayed every time somebody viewed the page.

People should read up what 'hacking' means. if i was eNaTIS spoke person i would have said something like: we are using Joomla CMS system, which is an open source software, available for free. We forgot to upgrade to the latest version, so we are vulnerable to attacks exploiting publicly available bugs in the Joomla system.

What are the worst attack vectors in a php application using sql? first of all sql injections, secondly remote file inclusion on pages using include files which if it's not sanitized would enable anyone to inject and execute php code. Eg. uploading files, like a spam engine, or execute anything on the server, network discovery, etc

eNaTIS says, that the system and database cant be accessed from the website. However there is a Login/Registration form on the main page, which means there must be a database connection from the website to that db, unless they save the details in plain text file. Even getting user information, email addresses, phone numbers would be a benefit of a hacker.

From a statement on the website's front page: "The truth is that the eNaTIS web site is running on a public hosting area on a public hosting service". yes, it does. Bluehost Inc is the netblock owner, you can check out the details here on Netcraft website.

Lastly there is a survey running on the site about preferred online payment in the near future. That will definately be linked with the main backend system from a website.