No what have posted is not probably not vulnerable to sql injection. Although getwhere() could be doing a stripslashes(), I'm not sure.

Its likely that if there was SQL Injection that it is in another part of your application. The attacker could use this vulnerability to obtain your extremely weak md5() hash, crack it, and then login. Use any member of the sha2 family, sha-256 is a great choice.

If your site has been defaced then I seriously doubt that it is sql injection. Its difficult to automate the exploitation of sql injection to deface websites, but it is possible. I would make sure that all libraries and installed applications are fully updated. Especially if you have a CMS or forum. You could run an OpenVAS scan against your site to see if it finds any old software.

Database

Judging by your code I see you're not using the lastest CI version (2.0.2 as of 06/12).

As stated in the changelog the getwhere() function (which is now called get_where()) has been abandoned as for version 2.0.
As for everty application out there you're strongly suggested to upgrade your current version, as there has been a lot of bugfixes in the meantime and you should always rely on the safest version available.

mysql_real_escape_string usually is considered 'enough' to give a good level of safety in your queries, but as it happend to its predecessor (mysql_escape_string) it isn't 100% safe against all kind of attack, so relying interely on that is not the best practice around. Although safe, there are still attacks that can go past this filter.
Check, among the many, this question on SO for further information about this.

In codeignier: If you were developing your custom application, I'd suggest you to at least use the mysqli extensions or, better yet, the PDO class; prepared statements are undoubtely safest and should be favoured over everything else.

But we are in the framework context, and Codeigniter comes with 3 great ways of safely querying your database, applying the right tool to the right input without you having to worry about that. I'm talking about query bindings and manual escaping with $this->db->escape() family and the Active Record Class
You can find examples of use at the urls I just linked, or read the answers from other peers here, so I won't go into the details of each procedure in this post.

Password

Regarding your password, as already stated by other users, md5() is a now flawed hashing alghoritm. There are rainbow tables out there that can crack your md5 password in a relatively short amount of time, so you're better off with higher security level hashing algorhytms, like sha1() or sha256, sha512, and other

In codeigniter: Codeigniter comes with a security helper class, which provides you with a handy function, do_hash() (might be dohash() in your older installation), which can be given the hashing alg. as paramter (currently I think it supports only md5 and sha1) and defaults to sha1() anyway.

Other observations

I'm not entirely clear on why you blame your login for your SQL injections. Are those the only 2 forms in your whole application?
You dind't provide the info to tell if you use $_GET parameters or you follow the native URI segmentation, but I believe you're doing like this so I assume you're safe from this point of view.

You should make sure then that there's no other input form in your website which contains input going into the database, otherwise you can secure your login how much you want, but someone could penetrate through a backdoor and read from there your database table and get log into your website in a "legitimate" way.

Moreover, there can be other source of intrusion, like a compromized cookie for example. As a piece of advice, whenever you choose to use a framework (and you're doing yourself a bigger favour than developing from scratch and all by yourself) you should tend to use MOST of its features, expecially when it comes down to security. It's a huge and very delicate question, so you MUST give this topic your top priority, and a well developed framework, with a huge community and frequent updates is the closest to safety you can get.
Therefore, you're adviced to update your CI installation (guides can be found here in their manual. Choose your version and follow the instruction), always use the top tools you're given for each task, and don't think that barring your door will make you safe from an intrusion from your windows. Always check thoroughly and investigate all possibile causes.

Late Addendum: Don't forget XSS, CSRF, session fixations, and other hot security problems.

Have a look at this old SO question.
I would use:

$sql = "SELECT * FROM users WHERE username = '?' AND password= '?'";
$dbResult = $this->db->query($sql, array($this->input->post('username')),array($this->input->post('password')));

If this is an ongoing hack, then seriously consider putting some logging in place to record the username/password in a file somewhere. If it is an sql injection via this login snippet, then it would show up in this new log file somewhere. And while you're at it, if you can, log the generated SQL query as well.

In any case, remember that mysql_real_escape_string() only covers mysql's metacharacters: single-quote, double-quote, semi-colon, etc... It is still entirely possible to hack the login function via mangling of a boolean parameter. Impossible to say if your "getwhere" function is vulnerable, but consider the case where the submitted password is "xyz OR (1=1)". The generated query might end looking something like

 SELECT id FROM users WHERE users=someusername AND password=xyz OR (1=1);

Perfectly valid query, and has also passed through mysql_real_escape_string intact because it didn't contain any of the critical metacharacters.

It's my understanding that Active Records will properly escape the values for you. So, with $query = $this->db->getwhere() you do NOT need to use mysql_real_escape_string().

But, you should always use some sort of Controller validation. In particular, you can limit the username and password to certain characters via a regular expression. This is always suggested.

Furthermore, if you are getting hit with typical attacks often then look into using PHPIDS. It's an Intrusion Detection System that will help you prevent the attacks from actually causing any damage, as you can thrown an error or notice of some sort.

You may also wish to view this tutorial on Security issues. http://net.tutsplus.com/tutorials/php/codeigniter-from-scratch-security/

If all your functions and accessors do what their names seem to suggest, then this script is not vulnerable to SQL Injection.

As for whether you are using mysql_real_escape_string properly... yes and no. Yes, you have the right idea, but you're actually using it excessively. If you MD5 the password, then that input is now clean and can't be used for injection, so the mysql_real_escape_string call is superfluous. So this would be fine:

$username = mysql_real_escape_string($this->input->post('username'));    
$password  = MD5($this->input->post('password'));

As previously mentioned, MD5 is a rather weak hash algorithm by itself. Look into SHA and salting a hash.

To counter a previous answer posted, if a user inputs "xyz OR (1=1)" as a password, that poses absolutely no threat to his script for two reasons.

1) MD5 hashing would convert that to a harmless hash (e.g. 'd131dd02c5e6eec4693d9a0698aff95c'), making the query something along the lines of SELECT id FROM users WHERE users='username' AND password='d131dd02c5e6eec4693d9a0698aff95c';

2) mysql_real_escape_string prevents 'string' injections, that is injections that would require a single or double quote to break out of the expected SQL query, but does not prevent (for example) injection with numerical input, which you would need to use type-casting to block.

Everything is really contingent on your "$this->db->getwhere" call. If that just builds the query normally without doing anything funky (like stripping quotes, or treating strings as integers [which would throw an error anyway], etc) you are simply not vulnerable in this script. If you could give more details on the 'type' of hacking you've experienced, we could probably give you some guidance where to look. Were you defaced?

I haven't played with CodeIgnitor, but expect that their built in input/database functions wouldn't do anything weird like that - so unless you edited the getwhere function yourself, you're probably fine in this particular spot.

The code you provided is not vulnerable for SQL injection, but you should never put passwords into queries, not even hashed, because you cannot be sure if the query is saved to the server's log or not, and you usually don't have control about who can have access to that.
Query/load the user's record by username, and then compare the hash of the password in $_POST to that.

The code seems to resistant to injection attacks. You are taking md5 of password field which leaves out any injection attack on that field. The vulnerable field is username which you are escaping anyhow. Are you sure that this is an injection attack?

Is there any other field like access_token fields passed along to prevent CSRF

Following are probable causes of strange behavior:

• You are using mysqli driver in database config and escaping string according to mysql lib. Try providing $this->db->conn_id as second parameter to mysql_real_escape_string and check your php logs for warnings.
• mysql_real_escape_string needs connection link identifier as second parameter. If you don't provide it you will experience strange behavior. I have suffered this with codeigniter. In my case mysql_real_escape_string was returning empty strings. If the case is same with you, check that you don't have empty passwords and usernames in your users table (very less probable).