I've been hacked

go to the database and change the password

1. Go to http://www.solidz.com/tools/sha1.php and enter your password. Hit calculator anc copy the output.
2. Paste it into the password field in your database.
3. Log in, remove the hacker account. Reset anything he/she screwed up.
4. Update your forums to 1.2.6.

so, i've taken it back, upgraded to 1.2.6, etc.

what could have happened?  what can I do to prevent being hacked again?  did someone get into the config file?  thanks for you help.

It is.
And it keeps the attempts in a log file. Very interesting from a forensic point of view...
I haven't had any trouble since.

I can give you my  basic rules for the setup if you want.

I think it is the basic install:

<IfModule mod_security.c>
    SecChrootDir /secure/secapache
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # Unicode encoding check
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    SecFilterForceByteRange 0 255

    # Only log suspicious requests
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog logs/audit_log
    # Debug level set to a minimum
    SecFilterDebugLog logs/modsec_debug_log
    SecFilterDebugLevel 0

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # By default log and deny suspicious requests
    # with HTTP status 500
    SecFilterDefaultAction "deny,log,status:500"

    SecFilterSelective ARG_highlight %27
    SecFilterSelective ARG_highlight %2527
    SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
    SecFilter "wget"
</IfModule>

I added the "wget" directive
wget is the program that most hackers use to load their stuff after the attack.
Since this string will not occur on my sites I blocked it. You don't have to but it will make you sleep better.

Take care to have SecFilterScanPOST set to "On" so you filter POST requests as well!

If you want to make your own rules there is even a rule generator .

The trickiest part is the
"    SecChrootDir /secure"
This works a bit like a BSD jail for apache.
If you are using a Linux machine read on:

That means all commands working through apache believe the server root is under /secure/secapache
So, if you do not place a copy of Perl, fetch, wget, htget or whatever else these psychos use under that directory they cannot execute their commands.
The SecChrootDir does not have to be the directory where your apache resides. Can be anywhere.

But:!
To have php working as usual you will have to put *some*  binaries there:
If you work with system() or exec() or the likes you need to copy

/bin/ls
/bin/sh
to 
/secure/bin/

If you want to use the php mail() function you have to install mini_sendmail

And enter this into your php.ini in the mailer section (where you normally have /usr/sbin/sendmail or the likes):

 /usr/sbin/mini_sendmail -t -fyourname@yourdomain.com

Then copy these libraries:
/lib/libnss_dns.so.2 --> /secure/lib/libnss_dns.so.2
/lib/libnss_files.so.2 --> /secure/lib/libnss_files.so.2
/lib/libresolv.so.2 --> /secure/lib/libnss_files.so.2
/etc/resolv.conf --> /secure/etc/resolv.conf

If you want to use MySQL you have to make the socket readable by php:

vi /etc/my.cf
[mysqld]
socket=/secure/tmp/mysql.sock
[client]
socket=/secure/tmp/mysql.sock

That should be it as far as I remember... the SecChroot story is a bit difficult I admit but it gives you enough security to not be afraid of the psycho kiddies anymore.
All you have to do now is make a backup of everything under /secure because this is all they can destroy even if they make it through your filters.

Note:
Yes, it is possible to escape this jail. However, it is anything else than trivial and I don't know of a copy/paste exploit that can do it. It requires handwork which means you must be a valuable target to a hacker to even try.

I hope this helps