1. The attacker used a vulnerability in SMF version 1.1.12 (the forum software that was in use when it happened).
2. The attack was led from Russia
3. The attack consisted in adding an iframe to each and every page of the forum. The iframe led to a remote site.
4. The remote site hosted an exploit for IE and an exploit for Firefox (both benign if an up-to-date version of the browser was used).
5. Avast was able to block the IE exploit directly, and also blocked the EXE that was downloaded by means of the Firefox exploit
6. This suggests that it was not a targeted attack (specific to avast forum) - it would be hard to believe that the attacker wouldn't have checked that the malware was undetected by avast
7. It took us about 12 hours to clean the forum and restore it to the original state (Saturday August 26). We also upgraded the forum software to the latest version (which has the vulnerability fixed). Unfortunately, the initial cleaning attempt wasn't perfect so the attacker, in a much smaller extent, was able to carry out another attack a couple of days later. This time, it was quite an easy (and quick) "fix", though.
8. No data was lost from the forum database
9. It is hard to say if the attacker stole any data from the database. It seems unlikely, but unfortunately, it cannot be guaranteed. That would mean mainly the email addresses (the passwords are not stored in the db - just their hashes).
10. It was a good lesson for us. We apologize for any inconveniences this might have caused to you.
Cheers
Vlk