Clypp had it exactly right in post #18 though, it was a phpBB vulnerability allowing admin access. The tech support at ServePath has fixed it for us.
People who commit deliberate cybervandalism- whether writing malicious code, or propagating it- need to be heavily penalized.
Triple fines for lost time combatting their garbage, damages assessed for lost data, and jail time.
Some here advocate barring them for life from anything to do with computers, and perhaps that would be appropriate as well.