Did you install the hotfixes?
What other PHP-scripts do you have installed at the same host (DB access may be gained through other script)?
Is it DS/VDS or simple virtual hosting?
Are you sure no-one could get password in non-technical way? :-)
Do you have Apache access-log available for the period when user has changed his group?
I just change the folder name where punbb installed
This will not possibly save you in case of the real exploit.
Nevertheless, after you find the hole, you'd better reset (fill randomly) all users passwords (starting from yours). If you will not succeed in finding the whole, you may hope that it was a single incident, but it is still better to reset at least admin passwords, when you come to such a conclusion.