Done and dusted now. However we will need to redeploy everything from scratch on a new server, this backup I can't find any evidence of the Malware but I don't know how long it may have been dormant for or if it was loaded to RAM, or any backdoors enabled.
I have no idea how the server was exploited, the only vunerabilty I could find was that one of my dev sites had an old version of PHP. I think that was the most likely culprit.