do a vulnerability scan on the websterver and see what could have been exploitable and patch it up to avoid further pwnage.

Collect as much data as possible and report it to the authorities.

EDIT:

Ok after a little bit of my own research and the use of some really effective skiddie tools ...I can tell you that his website/webserver had a huge "WELCOME" sign hanging from all its 15 Open ports and some other stuff that I'd rather not share in public display. He seriously needs to lock that box up....is there a firewall installed?
The box is very vulnerable to numerous high risk exploits quite a few medium risks one and one low risk.

I have a report done but I dont think i want to give it to you...as DjM noted, this might be a sad social Engineering attempt.

cheers.