A few months ago someone managed to insert a line of code into a page at Transvigor.  It made me really paranoid about security, andn so I've been very good at installing new updates for both Wordpress and phpBB.  She Grew! runs on the latter.  

Then this morning: I think we're OK.

Well, if it's a worm then it's similar to what I've been cautious about.  What BB is he running?  Sometimes one coder will take an existing worm, trojan script or virus and then simply alter it a bit, change the name and set it loose again.  

The way these things work is that they cross-script themselves onto the server, and then they use the server to do web searches for other servers running the same application suite that the worm used to get onto the first one.  In my case it's phpBB v2.  The phpBB people put out a fix in August or so, and then another in October and another a few weeks ago.  The first fix was sufficient, really, but they've made the code pretty much airtight since then.

They're the evolutionary process, Dave.  Without these kinds of challenges, OS security and industry standards and practices wouldn't improve, and would be vulnerable to a person with truly malicious and criminal motives.  

If you run a site, part of the responsiblity of that is making sure you follow and install updates.  And updating server code isn't always that easy - it assumes a much higher level of competence than updating run of the mill consumer software.