Hi,
that's false positive. Eval() isn't bad per-se, so isn't assert().
However, just by the blank amount of evals that watchful.li finds it isn't easy to find how your site got breached.
Additionally, I would do it the classic way to cross-check the results:
1. Write down all 3rd party extensions (templates, plugins, components, modules) that you have installed, including version numbers. I know that services like watchful.li can help on that but relying only on those tools isn't enough.
2. Do some web search about if any of those versions contain known security issues and update if possible.
3. Try to find uploaded files, especially those ending with .php that are not part of a joomla or an extension install (very hard, but do-able).
I am referring especially to files that reached your webspace through uploads, so I would check upload folders first
4. Read your access logs and try to spot the date, time and url of very the first attack attempt (that will actually help to spot what exact hole the attacker was using).
5. last but not least clear all infected files from malicious code.
Please let us know how it went, we can also have a look through your logs if you like.
Best Regards,
Markus
