And not only that you have forum software on the server. Can the uid running the webserver read bitcoins config file? What version of vanilla is that? Do you have a config file in www root that attacker could read to get passwd info? Or anywhere else on the server? Cause i am leaning towards that vector. Check www logs during timestamp of sendfrom.