Thank you for the reply. Sorry for the vagueness of the post, im a techie but this stuff is a little beyond my skill set.
The forum is Invision Power Board V 1.2 RC1, we were set to upgrade this weekend to the newest paid version, of course right.
Once I was notified there was an issue we locked the site, and as of right now passwords are changed and the site files are renamed so our users do not attempt to access it. When they were going there they were getting pop ups and there anti-virus was alerting them of trojans.
I looked through all the files and I found that the hacker had uploaded files to the archive_in directory on the server. These files were:
Then in the /html/emoticons/ directory there was a file called ACP_Delete.php
When I had a look through them it contained strange character sets, or it was in a different language. IT listed all sorts of commands this person must of been able to invoke when they wanted to. If I called the file acp_delete.php in my browser it opened phpremoteview and I could see all the folders all the server and the permissions that it said i had were root level, WRX.
That is where i stopped and had a friend of mine who does security consulting take a look. He sent me an email
saying he feels the server had been comprised because of some commands he was able to run.. sorry , again it is a little above me, I just know it is not good.
Do you think DH would be so kind to send me a backup from a few days ago of my site and database?
I know, stupid for not doing them myself. I stink......