2
This is a rare bird indeed. Some common questions before the community elaborates further; if I may.
Are you on a shared computer?
Is it possible that someone who has access to your computer might be playing around with things they shouldn't? Kids, brother or sister etc. Also, stored password in your FTP client can allow others access to your entire site. Shared computer requires extra strong vigilance on your part in terms of locking down and securing your applications, files and web access points.
Are you using a common password?
Is your password unique in that it is not one of your standard catch-all passwords that you use for everything else?
Have you deleted your install/upgrade files and folders?
It is very important to delete this scripts, as anyone who can access these can gain access to your XOOPS system.
Have you set your permissions correctly?
Make sure that your files are chmoded correctly during bash installs, through SSH or through your FTP client.
Are you the only webmaster user in the webmaster group?
Be sure that you are the only person with this special kind of group access. Create specific groups for your web management needs if you need more then one person to maintain your site.
These are but just a few of the very common things I can think of. Cookies are not an issue from my point of view, but delete them anyhow. Also, if you have enabled the autologin feature for your site, I strongly recommend disabling it. This would have required un-commenting code in specific core files, so it's not something that is automatic and you would know if you enabled this less secure, but freely available feature.
I'm not asking these questions because I think that you are new to your environment. In order to maintain this post I am trying to help in avoiding possible questions from others in the community that may seem alarmist due to knee jerk reactions.
Your situation is nearly unheard of with Xoops, and common security related issues are almost immediately remedied when spotted. It's possible that you may have stumbled upon something based on a rare set of server configuration circumstances.
More advanced users in the community may ask what sort of specs your site/webhost is running on, such as mySQL version, PHP info, server environment, etc etc, so have that ready when asked so that we may all benefit from this experience.
Once all possibillities that XOOPS being at fault has been eliminated, it may neccessary to contact your Webhost for server logs. Speaking of which, go through your own RAW FTP/Web logs and compare the times and IP addresses. If your site is at risk, your webhost could be at risk as well and it may be prudent to keep them in the loop if needed so that they may take the proper steps neccesary to secure their servers.
This post is for the benefit of everyone, so what ever information we all gleam from this is important and worthy of reading.