I'm a web developer, but a bit of a newbie in this sense, but I'm the only person we have. Essentially, just today, at my job, I have discovered a virus which has been prepending many random PHP files with something along the lines of eval(_HEADERS["X-Foobar-Baz"]) through about 100 layers of obfuscation (base-64, rot-13, gzip, it has it all, which btw to virus authors, it takes about 5 seconds to decode all this), so that anyone can remotely execute whatever PHP they want. After some deep diving, it seems this has been on the server even longer than I've been working here! Over a year now, but with very little activity, until now. I only discovered it because it just now modified our main index.php file such that it appears fine to us, but delivers a completely different site to anyone else. Google claims our website is completely different to what we see (Still not fully sure how they pulled that off). Very clever attempt honestly!

Anyway, the index.php has simply been recovered from backup, but this server has so many random PHP files just lying around, and any of them could be compromised at this point. I have disabled all SSH and FTP access for now, until further review. When I discovered this, I immediately blocked any access to all websites on our server by telling htaccess to "deny to all". I manually verified a few PHP files (Which I had written before, and had been overwritten by the virus, but were now restored), and then allowed them in as exceptions in the htaccess, so that at least a small portion would function. I do not know if this is enough. I have checked all cron jobs; there are none related that could be spreading this. Nor are there any related running programs at the moment; I believe it only ran PHP scripts when the exploited PHP files were ran, however due to the nature of the virus, there are no logs on exactly what it ran. There are some logs in the error_log, but they're not very helpful.

We have no real full backups that are older than the time I believe this started. I'm told I can't exactly go around deleting everything (Even though I'd love to just wipe most of it, most of it isn't even used anymore). But I mean, they could've done anything. They have had complete control over this server for over a year now. I feel like I've simply already lost. Just looking for any advice. Thank you.

​

Edit: As a fun fact, after this happened, the virus modified the error.php to always return 200, and Google then indexed 900k URLs that don't exist. Yes, 900k different URLs. Almost all of our bandwidth went to Google-bots indexing 900k sites that don't exist.