Just to close off this question, I just received the following PM from the OP.
(I asked and obtained their permission to post it here.)
My original advice to him back then:
ric323 wrote:What version did you have?
There was no security problem in 2.0.22 that would allow anything like that. This is more likely to be a problem with the security of your web host, in which case it won't matter what software you change to. phpBB is only as secure as the environment it is running in.
and his recent update:
kabo0m wrote:Yeah we have since left phpbb and went to SMF as we thought that was the issue ... until SMF got hacked.
The funny thing is the two really smart tech geeks of the forums couldn't figure it out .. searching through logs and code of the forums ..
And then I figured out where the hackers were getting in from! The main website! There was a very simple php uploader for images that was being exploited by the hackers uploading files with names like ahlshdf.php.jpg
Well the uploader would read the last extension but the FTP would read the first one. Thus the hackers were able to execute actions via their php program they wrote. It was quite detailed.
Since then we have disabled the php image uploader and have not gotten hacked since.