Looks like your server was compromised. Your index.php file (now index.php.suspected) has a bunch of obfuscated code at the beginning followed by some WordPress related code. There are also a bunch of other files that look suspect to me.
From the XF perspective, you'd need to reupload the files. However, you'd need to identify how they got in. Given what I'm seeing, this looks more like a general, automated compromise. It may be WordPress related (if you have that anywhere). It may even be related to another site on your server. In an ideal world, you'd want to restore to a backup prior to the compromise.