jay5r - 2:00 pm on Nov 20, 2013 (gmt 0)
What was the symptoms? What happened to your website?
The first thing that was obvious was that certain pages were redirecting to other sites. If I remember correctly it was a "security software" type site. The hacker had gotten in and essentially overwritten certain pages.
What I missed in the first attack was that s/he had also created admin user accounts. When more pages were hacked a week later I took a much closer look at things and discovered three admin users that shouldn't have been there. Since the files (on disk) had been locked down after the first attack the next step was for the hacker to use those use admin users to change some of the page code that's stored in the database. That's actually a much harder thing to restore since restoring the database would have wiped out all the user discussion on the forum. That's when I put in the 2nd layer of password protection on the admin and moderation pages. So now even if they do manage to create an admin user in the future they can't hit an admin page.
During all of that I discovered that, while my host only keeps one day of log files, vB logs all page hits to admin areas. So there was a nice neat tidy record of exactly what pages the hacker had accessed.
The one good thing about forums is that you have an active community of people who are looking out for you. People were tweeting me, emailing me, etc. as soon as the problem happened. I don't think I would have gotten the same response if one of my blogs had been hacked.