Welcome to EH-Net.
We probably can't help much without a lot more info, but here's a few things to go on:
Do you own/control the box on which it is hosted? You could always use the web app/CMS to ban the user and block access by IP (although this may inadvertantly block legitimate users from the same ISP). Also, you can do the same in the firewall to prevent the user from even touching the app. Even some hosting services offer this ability if you don't run the servers in house.
Are you using a proprietary system that you coded or is this some third party app? If the latter, try their forums or support system.
Of course, the nub already got in, so you can never be sure how deep he got. Do you have BUs? You could restore the files to a particular date in time and then migrate the current db. Usually in systems like this, the files are completely separate from the db.
Then again, we don't know where he got in or what he did. So check your server logs for access and file transfers.
Hope this helps,
CISSP, MCSE, CSTA, Security+ SME