they didnt fake the mime type as they uploaded a rar file and when i downloaded it it had the c99 shell inside it. Looking in the directory they had uploaded the file to they had managed to extract the c99 file to the same directory as the rar was in.
my webhost provider has looked over the server and nothing seems out of place.
the upload directory was the only place with write permissions so they could only upload files there. they could look at source of my files but not config files as I keep them outside readable directories.
The only bad thing they did was to chmod the upload folder to 0101 so I was unable to use that folder. A quick email to my webhosting provider and they deleted the folder for me.
They must have used an exploit in the cms Im using to run a exec() command to unrar the file they had uploaded. Im sure we have unrar loaded up as cpanel uses that function.
The thing is there is no known exploits in the cms im using for running remote commands.
Im still lost at how they did it.....
Edit: Nico i dont use that method to check file type. I check the extensions used on the file. eg: .jpg .gif etc If any dont match my allowed extensions then the file is blocked.
Plus if any files that are uploaded with these extensions:
$imagetypes = "gif|jpg|png|swf|swc|psd|tiff|bmp|iff|jp2|jpx|jb2| jpc|xbm|wbmp";
I use get_image_size() to check they are actual images not just php files with renamed extensions.