Ok, so wanted to share an update and close this. Here is what I did to overcome my server injection.
1) Wrote down a script which goes every php file and look for the injected code, if found removes it. (The injected code has similar beginning and ending pattern)
2) Changed passwords for server logins.
3) Updated very very old wordpress sites in the server.
Seems that this injected code was used for bruteforcing other wordpress & cpanels btw.