Showing up in my members online was a "blank" user. All registered users have names and my host confirmed this person logged in as Anonymous.

I've changed my $prefix & $user_prefix but not sure if this will stop them from getting in again?

They were running some sort of external script that pretty much crashed my server for a while. My host said "was like someone was trying to run some script on it and used up ALL the server's memory several times over...like a hundred times"

Is there anything else I can do to stop this?

a blank user does not necessarily mean a hacker ... its been discussed many a time ... its a sessions issue.

Ok, I can agree to that, however when my host see's that our server is pretty much done for due to a script being run through/out of my portal and there's an blank user showing up in the members list and my stats tell me there's been over 900 MB of something going on by an "other/anonymous" login.. kinda makes me wonder

check your server logs to see who that latest visitors are and run the IP's and see if they turn up anything interesting.

Found the culprit in Macedonia - DDOS attack used my site as server entry point to put a script (udp.pl) on the server. Filter is in place to stop that particular script again.

Is this a Dragonfly issue?

It was my dragonfly issue only due to the fact that I wasn't aware that I needed to change the $prefix & $user_prefix during install until I started searching through security info around here today. So now I'm trying to work out problems after changing those.

Doesn't make sense - DDOS shouldn't get your site hacked, just severely slowed down. They can't even brute force your admin password unless they guess it within 5 attempts.

It does depend on what non-core Dragonfly "add-ons" you have.

and what file did they find that udp.pl had been uploaded by?
have you seen this

I hear what you're saying Phoenix, and I agree.. there didn't seem to be any damage done to my site. The problem being that the guy entered through my site - used my site as his doorway to the server.

Biggest question is where did he get in. Which is what brought me back here looking for security info and me coming across the $prefix changes.

It is just plain absurd - Anonymous cannot login, regardless of what you or your host may think.

"Our records do not indicate an existing user named Anonymous"

And a blank user gives you this,
"Our records do not indicate an existing user named"

well.. I'm just saying what the server logs reported Phoenix, not out to start anything. I'm just trying to find out how to lock my site down or at least make it a whole lot harder for anyone to gain unauthorized entry.

Then perhaps you better read what Akamu posted and chase that up because that is the more likely cause.

sure thing

Phoenix wrote:

Then perhaps you better read what Akamu posted and chase that up because that is the more likely cause.

Thats most likely the cause

There have been two (2) scripts going around targeting php vulnerabilites.
Yours has the tell tale signs of one of them.

Not a Dragonfly issue in my opinion