When I first saw the replaced content on the board index page, I assumed that there had been a breach of the physical server. I immediately logged in and didn't see any tell-tale signs of security actually having been breached except for one questionable process (it turned out to be normal). I ran several security scanners, rootkit hunters, et cetera; looked at all of the different places that a sysadmin looks when something like this happens and couldn't find anything. I immediately reported it to the datacenter so they wouldn't pull down the server if, in fact, someone had gotten access to the server and was using it to send out spam or as a node for a botnet or something like that.
I also immediately killed the processes running the web server in case there was a security exploit there that was being used. Unfortunately, that ended up making the problem much harder to solve. Since none of the other web sites the server hosts had been modified in any way, I immediately became suspicious of phpBB, which, in the past, had been notoriously prone to security vulnerabilities (though that has been rectified, to my knowledge). I checked all of the PHP code in the phpBB directory, diffed them against originals and backups, and could find no modifications. The only sign that there was a problem was in the directory that caches the compiled templates used to display the forums, where the "compromised" index page was being cached, though that cached data was, again, not to be found in the actual template directory.
Finally, I decided to boot up the web server processes, while restricting boards access to only my IP address, to do more investigation. As soon as I logged in to the administration panel, I saw what had happened — jpittman's account had been logged into at 1:08 PM CDT and used to modify the template for the board index; if the template is edited in this way, the change never makes it to the filesystem and it is instead held in memory, hence why I could not find evidence of it in any of the usual places.
Whomever it was used an IP address out of Bishkek, Kyrgyzstan, and actually was quite nice — they could have done a lot more damage. Everything is backed up off-site nightly, so it wouldn't have been permanent damage, it would have just meant the site would be down a lot longer than it actually was.
The content that replaced the index was annoying, but in no way harmful — it was not used for damaging scripts or anything of that nature. Also, since direct database access was not achieved, no private messages or anything non-public was able to be viewed.
TL;DR — jpittman's account was logged in to (
