I often find a file inserted into the root directory of my forum and it's titled something like this:

"5a29c72470e92aa04d38589f1d49262d"

And it contains this code:

180.76.5.111|180.76.5.180|66.249.73.39|123.125.71.100|60.169.78.52|180.76.5.151|180.76.5.187|180.76.6.212|157.55.32.105|180.76.5.51|180.76.5.48|180.76.5.149|49.212.172.234|91.224.246.104|91.121.1.146|112.123.169.28|180.76.5.168|180.76.5.66|180.76.5.55|180.76.5.99|180.76.5.190|

Looks harmless enough, however, each site that contains this file shows that it is infected when I run it through securi.net.

If I delete the file, it comes right back.

I've been finding this in various sites across different servers that are not connected to each other.

Ideas?

180.76.5.x is Baidu, if I recall correctly, it's a search engine spider that doesn't like to obey crawling rules... But it's not the problem here... Your site has been compromised...

You need to run the php/cgi protection, and you need to upload a completely fresh copy of all IP.Board and any app files...

Also, run the tools to search for security threats in the ACP... ACP > Security center... If it returns a file that doesn't look right, ask us and we'll tell you if it's safe to remove...

But you need to upload a FRESH copy of your board files before you do that... Something may have been injected in your core files that could trigger a security alert.

This is a symptom of your site being compromised. The malicious code that is inserted or present on your server is sending bad HTML to each visitor who requests the page (i.e. a redirect to a malicious site, or an attempt to download a virus), and logging the IP address so that the malicious code is not sent to that visitor again until the next day (which makes it harder to track/test the problem).

I would recommend having your host scan your site for any malicious files. You can also submit a ticket so that a technician can provide you with steps to clean your site out.