I had a similar experience, and i found the kit used with hacker, it was uploaded via vbulletin script security whole or (calender.php , faq.php , search.php)
this is the shell used with the hacking https://bit.ly/VOYDiI
its name is: (S a u d i S h 3 l l v1.0)
you should scan your server for this evil shell, and also scan all the accounts for a file (usually called script.php ) that is plant in many accounts on your server, and delete them all.
if you don’t find the shell, the hacker will be able to use it anytime he want.
