I recorded an intrusion on the site and discovered that some files have been added, as "style.php, 403.php" or added lines of code in a "config.php" file.
I'm using Moodle and I found some code also in a template files or on CSS.
The various codes added in various files are as follows:
$THEME->resources = base64_decode('Jm5ic3A7PGEgaHJlZ...
$THEME->resources = base64_decode('Jm5ic3A7PGEgaHJlZj0iaHR0cDovL3d
I used the command: ack-grep-w "base64_decode" | more
to find the lines of code, generally on PHP files.
Of course I changed all passwords and I deleted all infected files.
Why did it happen? I do not think that my passwords have been stolen.
What should I do to prevent it happening again?