Yesterday I cleaned my Fivedev server completely, did setup a new phpVMS install, deleteted the ofc_upload_image.php and reinstalled my skin and stuff from an old backup.
Today I realised that on the same day again some modifications on the server have been made. For example, I found a new tmp-uploade-images folder on my server. So if that's true what you are saying and that is not part of the original installation, it looks like just deleting the ofc_upload_image.php does not do the trick. Also some other files on my server with modification date this morning (where i did not do anything) looks suspiscious. The difference, this time, is that the site is still working.
Would you say that I should shutdown everything again, erase all data and wait until a new phpVMS version is valid? I have the backups, so no data will be lost, and I don't want to do this sh... again and again...
Edit: This is what I find in /access-logs/goldenghanavirtual.org (just a short part of it, repeats serveral times from different IPs):
Does that mean they TRY to hack the site again or does it mean the HAVE already access? Note that ofc_upload_image.php has already been removed from the server by that time.