Thanks for the pointers guys. This is just what you need on a Wednesday!
Would have found the first exploit earlier, but the provider had just rolled the raw access log into the site stats system.
As we have all the data, I'm reading lots to make sure I dont break anything more important to us while upgrading the phpbb stuff.
Lippy