Close holes in website security.

YOU NEED HIGH PHP/SERVER SECURITY EXPERIENCE! I want to close some security holes I have on a website. The site is run a unix dedicated server. The site uses Password Sentry software [login to view URL]://[login to view URL] to log and suspend users. The site uses security image+user+pass and no request is send to .htpasswd file if image is not correct so not possible to bruteforce using software from what i was told by the owner of the software. The site uses CCBill password adding/deleting/updating services. I want to find out why I keep getting russian people inside my members area who knows my customers login. I have some PHP files that updates counters and a updates page in the free area. I have a forum Vbulletin version 3.6 (was moved to another server to see if that was the source of maybe some php injection but it continued so it is not the forum) Password sentry software has gone thru their setup and scripts and can not find anything in their scripts that would allow anoyone to find logins. ftp login has been changed 4 times but dont help. phpmyadmin folder has been renamed to yhoign5th3q98oieo53qhie So we can exclude these 2 options. Your job: You need to find the holes and close them! Dont bid if you have no security PHP/unix experience. There is 1 or more holes for sure and i need them closed for good.