They don't need the password to do it through OSCommerce. I've seen sites hacked through phpBB and they didn't even USE the admin password.
Majority of the hacks I've seen onto PHP applications require use of register_globals. You have them on? I'd suggest turning them off. Old code, like OSCommerce is prone to new exploits found in things like addslashes(), register_globals and magic_quotes.