The attacker is most successful when they does not arouse suspicion, and so if they put a file named "settings.php" in a cache folder you naturally assume it is designed to be there. But does cache have settings? And why is it in a separate file and not a main control panel?
The second seems even more likely to be fake, and so I look up "ips_kernel" on my favourite flavour of search engine and find it is a folder within Invision Power Board, and that in a directory listed on their site of that folder (of at least IPB 3.3.0) there is no file named classKernel.php
If someone sees "ips_kernel" and understands it is part of their system, and then sees classKernel (which is similar to the actual classDb file in there belonging to IPB) it would probably fly past the webmaster, and that is the hope of the attacker.
Remember, you often have to think like a criminal to beat one. Them putting "backdoorlulz.php" in every folder will be found and removed surely faster.
I did, it still detects it.
This is because your antivirus has a signature-based detection for these malicious backdoor scripts, and only needs to store some common samples of the entire file to realise it is the backdoor file. If someone changes one line, it will still detect it, which is the idea behind the antivirus having heuristics to be useful to the end-user so that it is harder for people to obscure malware.
If you are worried about the two files being important, quarantine them if possible, however they are very unlikely part of the system.
You have to then realise that the files were placed there somehow, not magically, either through shell/FTP/web panel access (change all of your passwords immediately!) or through a vulnerability in not only IPB, but one of your softwares you may have installed on your server beside IPB, and the unfortunate possibility remains that if you are using shared hosting that someone had compromised the main underlying system and had infected everybody indiscriminately.
Edited by Alexander, 02 November 2014 - 10:16 AM.