Download your Apache access log files to your local PC. It's not necessary to download the whole lot, just the records for the last X days, where X is the number of days since you know that your site was definitely not hacked. Use a “grep” program, like WinGrep, to search for potential hacking entry points.
What to search? Look for “insert”, “update” and “replace” as these signify a SQL injection attack. If it looks like a SQL command (possibly with comments like /**/ all over the place) it's most likely a SQL injection attack. Look for accesses to your administrator/index.php file which came from an IP other than yours, as these signify a brute force password cracking attempt or an unauthorized login to your site's back-end. Also look for access to PHP files except index*.php in your site's root and administrator directories.
If you run into something which looks like a SQL injection attack, take a look at the component's name (if it occurs in a URL with index.php in it). That's a potentially vulnerable component. Check if the component is listed in the Vulnerable Extension List and, if so, make sure you have a newer version than the affected one. All developers had a vulnerability at some point and released an update to “plug the holes”.
