First , there are files injected into this dir :
${ubbthreads}/images/forumimages/default
-rw-r--r-- 1 x x 23 2011-12-18 12:09 exploit.conf
-rw-r--r-- 1 x x 993 2011-12-13 11:56 cons.php
-rw-rw-rw- 1 x x 40756 2011-11-19 16:06 admin_2011.php
-rw-r--r-- 1 x x 77035 2011-09-23 00:06 gold.php
-rw-rw-rw- 1 x x 34 2011-09-15 16:28 config.php
And then , I notice a lot of 'POST action' to admin_2011.php , modifying includes/header.php and includes/footer.php
That's why there's another thread complaining unwanted Google Ads shown.
I think UBBT team should take actions ASAP !
Most important of all , find out how these PHPs are injected to the directory , are there any exploits within ? (7.5.6p2)
By the way , the attacking IPs are from China : 118.253.12.77 , 101.226.33.201
If admin needs these exploit files , just tell me.