Apparently there is a way to exploit rcon in cod4/mw2 servers where the hacker is able to retrieve the server.cfg file remotely and then in turn get the rcon password. Then they can do whatever they want. Here is my solution to that problem.
1) Take your server down
2) change your rcon password in the server.cfg
3) rename your server.cfg file to something else (ex. 213456789.cfg)
4) edit your shortcut so it says exec 213456789.cfg instead of server.cfg
5) start up the server. the hacker will need to know the file name of the config, which will be nigh impossible to guess. After doing these steps the hackers stopped attacking my servers.
Reply below if you used this method and are still having problems!