I've been looking into this since posting and I think I've isolated the hacker in the server logs.
It seems they began by performing GET and then POST operations on "HTMLEditor/editor/plugins/kfm/index.php" and then the "get.php" and "upload.php" from the same directory.
I can't say with complete certainty, but that seems like the exploit referenced in the other thread that I've now fixed.
So, hopefully I've got it secured. I've kept the relevant entries from the log file if they're of any use in helping me know for certain that it's been solved.