I had a very similar issue to this on one of my old servers (not running osTicket) a few years ago. It was basically a result of server software Apache, PHP, etc... not being kept up-to-date in order to run the old CMS that was being hosted there and random .php files would be uploaded and included in headers of existing files, obfuscated in exactly the same way your example is, so that finding them was an absolute nightmare. I actually expanded the code in a sandboxed machine to see what it did, and I had to admit the whole thing was quite impressive!
Assuming your issue is the same, you'll have to do two things:
- upgrade all server software, including your web server and any extras such as PHP, MySQL. Basically upgrade everything, otherwise if you don't fix the root vulnerability it will happen again. Make sure the OS is a supported version too.
- trash all of the existing osTicket files (they could be infected now for all you know) and replace them with a fresh copy from osticket.com as ntozier suggests - make sure to keep your include/ost-config.php file, but manually verify it hasn't been altered.
You might also want to ensure all non-essential access to the server is restricted. You'll obviously need to allow access via 443 for the web server, but things like SSH can be restricted to your IP.
