Some guy keeps injecting random stuff into our root.
He recently injected a txt file that said "test.txt"

How are people doing this and how to stop things like this from happening?

Well I understand there is a point. To solve this I'm all alone in first on the question mark in talking about the need to see the contents of the test.txt file. vbulletin sql injection system, usually being taken from search.php and index.php. CPU or ceiling, of course yaptırıyor pruning. pursuant to it can enter into the system.

if you're getting files, it's probably not SQL, but writable (chmod 777) directories.

You should have taken a look at your access_logs from that day to see if it really is sql injection. Then, take a look at your server logs to see who is logging in to your server. This should be done the day it happens though since sometimes hosts don't keep this information around for long.