Having been hacked recently, I've discovered the doorway into my site was the OSCommerce application.

Please be aware that even the most current installation of OSCommerce is vulnerable to malicious intruders.  And the hacker community knows about these weaknesses. 

Please read the first post in the security forum at OSCommerce and follow the instructions contained there.

In short you should add some plug-ins to OSCommerce,  delete the file manager, password protect the admin directory and change its name. check all permissions of files and folders.

Good Luck.

Also everyone here should take a moment to understand that any web application can be hacked. Even the latest versions have security holes (though they may not be discovered yet). The more widely-used an application is the bigger of a target it is. Vigilance is required and the best security practices should be followed.