[PuroPlacer]

God knows, I got the nightwatch guy, he says the following:

Support: i can not rely on any personal opinion as it would be the huge debate, but following method is most dangerous to use exec, passthru, unescape, base64, eval
Support: i can see many methods used on your sites
Support: also php has developed safe_mode - to prevent such issue, but it has been disabled due to the need of the application


He seems to believe that this is a vulnerability in x-cart... Which would also seem most plausible to me.. Although I am not an expert on this stuff..
There were no logins visible from the other server that had been compromised either a couple days ago