Yes, it seems like the account this forum was hosted on indeed was compromised at least on a file system level. While it doesn't look like the attacker was in it for the private data (mostly just file-wise changes done to show spam to Google), one must always assume the worst. Thus, as per standard procedure, even though it seems as if the information was most probably not accessed illegitimately in the database, and even though all passwords on this site are hashed (and salted), if you have re-used the password you have used on this site,
it is recommended that you change it as soon as possible. Also, this piece of forum software lacks the capability to force people to reset their passwords, but you should definitely do so as well.
It is not yet known if a local problem led to this, or if this was a bigger problem with the hoster's systems. I am not going to point any fingers towards anyone at this point and just try and make the current situation better.
So far:
- Full tarball backup of the compromised forum has been made for further analysis. We already know how the spam effect was done, but more has to be learned about possible points of entry and so forth.
- The forum has been completely reset file-wise. If there was any cruft that might have made intrusion easier, it sure isn't there any more.
- All uploaded avatars have been removed and disabled. Only non-local stuff can now be used. One of the possible entry points is a PHP script uploaded as a picture.
- Overall file rights have been minimized.
- Moderators' and administrators' passwords were reset, as well as everything possible in the overall forum configuration was changed.
