I don't think the exploit is his to fix, sounds like a bug with the source engine/a door that needs to be closed. I fully expect VAC to ban them for it (if indeed they did it how they say they did). I find it infinatly more probable that they used a bug in the ULX admin system.
However the majority of the things that they did can be put down to not making files that shouldn't be written to read only and holes in the ULX admin system(witch from what I gather is what you were using) I always remove rcon permissions from the admin system on any game server. I recomend that you do the same, admins do not need nor should they need rcon if you have ULX it can handle kicking/banning. If someone really does need rcon use the rcon console commnds (rcon_address, rcon_password etc), and change the password frequently.
Also, backup the ban database often, even make a script to do it if you know how. Then they can play arround with bans as much as they want and fixing it is as simple as copying a file.
Much more secure.