There are many empty files in the directory /tmp, look like PHP session files. This is the only thing I found on the server.
-rw------- 1 www wheel 0 Jul 30 08:53 sess_76f4ed1e3931f451aaefe326b6786a48
-rw------- 1 www wheel 0 Jul 30 08:05 sess_7b2e70af030695169783f3a0db33c108
-rw------- 1 www wheel 0 Jul 30 08:57 sess_7b8ba93234e7d1a42fb1da8a26d82aef
-rw------- 1 www wheel 0 Jul 30 08:12 sess_7dbb918cd26290b92cea73d943f5b3bc
-rw------- 1 www wheel 0 Jul 30 08:36 sess_82b82a40ee0e24872f37a1d0cf6efd98

I'm a bit curious why these files weren't deleted, if the hacker can write them, he can delete too, right?

You see, I didn't find anything useful. The worst case is that the shell account was compromised. Another possibility is he uploaded some scripts, if I had to guess, the latter is more possible.

Anyway, I'm not really concerned about the dead forum. I even think it's a good thing, because it gave me some motivation to learn more about FreeBSD. I realized my thinking about security was so wrong:

- My sites are not important. Even if they are hacked, I can rebuild them, no loss, no big deal.
- The server is secure enough.
- No one will target my small sites.
- Server hardening? I'm not paranoid.

I didn't change the forum, the door is still open. I'm going to harden the server a little bit. If something tricky is on the server, it's like a training.

After the problem occured, I bound the ssh login to a static IP immediately. I think it's very important. Other things on my to-do list at the moment:

1. Harden /tmp besides the default sticky bit. Like the Email problem, both times wrote something in this directory.
2. Install log watch tool. I didn't find anything unusual in the system and Apach log files, but they might have been touched. It's bad not to have trusted log files.
3. Check rootkits.

I bookmarked several security guides, they all look very good:
Hardening FreeBSD
FreeBSD Security Guide
FreeBSD Security
Security Checklist