Hello,
We also had the same issue on our sites.
The impacted files were :
- controllers/front/AuthController.php
- controllers/admin/AdminLoginController.php
-
classes/Customer.php
- In getByEmail function
-
classes/Employee.php
- In getByEmail function
Also check the overrides
Malicious files were also injected in /modules directory (search for xsamxadoo / bajatax / .. )
And there was a new directory in root folder named xsamxadoo
Hope it'll helps
Edit : we also removed sampledatainstall and explorerpro modules