Finally made it in this morning and glad to see the forum hasn't been taken over again.
Here is my take on the security. I am by no means an expert, but have had to research this a bit as I mange a couple of servers with my job and also have my own personal server I take care of.
It sounds like he most likely got in with the weak password, however, I wouldn't rule out an exploit either. As far as passwords go the worst thing you can do is use a word on its own. It is very easy to do what is called a dictionary attack on a users password. This involves a program that will go through every word in the dictionary and attempt to login with all of those words. One way that you can get around this and still use a word would be to substitute numbers for letters, so if my password was starwars
I could change it to 5tar5war5, but many know that users do that, so a better way would be to make it a little more random and use different cases throughout, so 5TaRwarS would be an even better substitute. Another good idea would be to add some other numbers or characters to the end, so 5TaRwarS-4826 or something along those lines. That way it is still a word or something that can be remembered, but requires a lot more work to figure out. Another way to go would be to use the first letters of a phrase mixed with numbers and letters, so say you want to use "May The Force Be With You", you could do MtFbwY and then mix in some numbers or characters, so M4t8F2b6wY! These obviously aren't as easy to type, but hopefully make it somewhat easier to remember. I hope someone at least finds this useful.
As far as the forum software goes it is always good to keep up to date. The software is free and open source which has advantages and disadvantages. The advantage is that if an exploit is found then anyone with some php knowledge can figure out a patch and submit the fix to the group that makes it. The fix would then come out very quickly. The disadvantage is that anyone can look at the source to find new exploits, so it is always a cat and mouse game. I learned this the hard way with some software I was using for a family site a few years ago. Now I always stay on top of the latest patches and haven't had any problems. I still have problems with spammers registering, so I made it that I had to approve them before they could do anything. Unfortunately, I now have to approve anyone that registers on my site, but in the long run it is worth it. If the forum goes this route then hopefully some of the other mods would be able to approve instead of just Edd. I have no idea what version of phpbb we are using. I found a few thing yesterday to try and find out, but luckily those didn't work. The only thing that makes me think it could be an older version is the 2007 copyright date at the bottom of the page and I know
phpbb3 came out in 2009.
These exploits get out there and pretty much anyone that can figure out how to run a script can take advantage of it, so that is why it is important to stay up to date on the patches and such.
I hope this helps a bit. I know there are some other IT people who use the board, so any additions are welcome.
