I know there have been a lot of similar questions, but none of them covered this specific question:
I found on almost all PHP files on a clients server script injections, it was actually the script mentioned here: https://stackoverflow.com/questions/20658823/hacked-site-encrypted-code.
Now i know that it is difficult to pinpoint the point of entry, but there are a few facts that i am sure can make sense to someone better suited than me.
SITUATION
Almost alll PHP files were infected
There was a folder with some infected files in it but it did not have ANY permission for the FTP user which i am using to upload files to the server
Even files that are not publicly viewable or indexed by google were infected
in the non-indexed folder there were some files infected and some not. The ones that weren not infected were most likely never or very rarely called by anyone
QUESTION
Taking into account the aforementioned facts, is it likely that the whole server was compromised (apache, ...) or is it likely just an insecure PHP script. Would it even possible to see such a scenario when only a PHP script was abused?
Is it enough right now to just update the PHP scripts, remove the virus code and hope assume that the server itself is not compromised? (changing SFTP account credentials of course)
EDIT: COMMENTS ABOUT IT BEING A DUPLICATE
As i said before, i DID read the other posts, i do NOT need to know a course of action, i am just curious about the PHP files being modified inside of a folder that is NOT writable by the FTP user and if this is possible with a PHP script / MYSQL exploit or only if the attacker had an FTP pass or deeper server accesss.
