I would like to see your raw access logs if you wouldn't mind. Or the gif.
Side question - Do you have anything else installed in this web account? Not that Sourcebans is very flawed anymore, Peace-Maker and his team have continued to patch injections, but I've found moving sourcebans off-site has helped my main forum keep more secured. During a hacking incident with our community the hacker was able to create a c999shell, which gave him complete file and database access.
By doing most of the website modifications myself, I was able to find his backdoors knowing what was supposed to be where in both the forum software, and then comparing with sourcebans. I would have no problem looking over your logs, or your website if this problem persists. Just let me know.