I had the same thing happen to me but I am on GoDaddy shared hosting which I guess is the same as the situation where you own or control you own server. Of course I got a canned reply from GD to which I complained. They never admit anything.
Here is what I found. Yes a base64_decode( is involved but not in all PHP scripts. I found only certain names that are standard like index.php, footer.php, and template.php. I host about 11 other domains on my account. From my “root” directory down all the above files were hit. As I told GD I use no third party applications and no user parameters in PHP that need to be cleaned. I have no client interfaces anywhere for uploads or logins or anything of that nature. It is all static.
It was easy for me to fix but they will be back I’m sure.
Told GD this “If your server (it is not mine) gets compromised such that a hacker can access all virtual accounts hosted on the shared host then it falls into your area of responsibility. I cannot control the other shared accounts. It is up to you to harden it such that it cannot occur.”
All the files had the same timestamps or very close. From this I discount FTP entry. That would take too long.
They read these PHP files and as soon as they hit the PHP ending mark “?>” they wrote their code. Have a copy. They check for certain bots like Google, Yahoo, Bing etc and don’t execute their code. The code is made to looks like analytics type code and their native language is not English.
The only way I can see that they can do this is to “own” the root of the whole server. How? I don’t know. Try to tell that to GoDaddy.
From my history backup files I see that it occurred March 25 at 12:51 (MST I believe) and again March 31 at 02:41 MST. On the second intrusion the decode info changed. Checked my logs for those time periods and see nothing.
Now they send your user to this base64_decode( URL where they try to inject malware. This staging area must supply different places to go for the malware because sometimes it does not work because that site may be fixed or disappeared. The few that I saw or checked had all been created recently. Must be throw aways. Same type contacts
I also noticed on the scripts that were modified that the permissions were also changed to group rw.
I do nothing in PHP except standard include “xxxxx.php” for same code.
I had it easy compared to some of the posts I see here