My best advice to you, or anyone in similar predicament, immediately with great haste, in ur main root (assuming WP or php script running) rename index.php to index.old, create new file, add <? and a space and newline, save as index.php, - then create a folder below ur www root / public_html, select everything in your public_html/www except teh new index.php, and right click, or move to that folder u created.
Then go to cpanel admin, check and ensure remote MySql is disabled, or if there are any entires in their you dont recognize or something with asterisk in it., just delete them al for now.
go to mysql admin -> if there are any new mysterious users, delete them or change password. then change password for your main WP or scripts db user.
From there its best to dump ur db(s) out as sql, and maek sure to check the hex encoding of raw binary characters in export custom options. (or non ascii whatever itscalled near the bottom).
You can also while u theere goto phpmyadmin, open your wb db, users, sort user by type, see if there is new "admins" or if jut one, if the email has changed
Then Go to your, ahh sh** i forget which its been so many years, but i think its wp-posts, and wp-postsmetadata, or somehting, open them up and sort by id descending, go to end of list check if theres any funny addresses or crap in there that,. then check same sorted by last modified.
You could but probably shouldnt waste time on cleaning the DB manually, and just extracting by hand post by post page by page, widget bty widget, and ur plugin settings etc,
But unliess its mision critial, and u dont have a backup like a numpty
u should rather just shitcan the entire site, and even reprovision the server itself, or VM whatever it is u running. Going forward if its your own VPS, make sure you never work on site with root user, aside from initial installation of your server admin tool (reccommend cpanel here as it wil take care of alot). you jsut create each domain as a client/reseller from whm with root, or better yet a dedicated CPanelAdmin user, (set up sudo rights for this one) Then going forward just access cpanel with your vartious domain / reseller/local user accounts
Even better additonal or alternative step would be to install docker instance(s) with enclosed php environment (lamp stack default will cover most requirements, make sure to add node.js if notthere already it will come inhandy at some point)
Then follow tutorials on how to set up reverse proxy via ngynx (easiest) and route ur docker internal common ports like 80, 443, 25, and so on, to some random ports on server itself.
once all good and up and running, just clone / take snaphshot of that docker instance, keep copy offline, and back up same live docker as often as you will be comfortable with roling back to in case of future events.
With regular non wo scripts, u can use ioncybes dynamic keys, for simple scripts, but it does not gel well with the likes of laravel. You can also install php OPCACHE, and cache all files, then either backup or move to another folder below root, all php files, for which there would be a *.bin that would now take its place, and acwtually speed ur site up, its alot harder to F with them believe me.
Another good method but i think there is een plugins for this, and will depend on you disabling auto updates, and skipping ur upload folder, ios to store a hash/crc value of every one of your files in your root www/ public html andany parent folders linked to same script, keep that list somewhere safe, or ideally remote, and then set up a cron to scan each and every flie at least once a day and calculate its current hash vs original. its only way to know for sure. But updates will complicate things, so try to keep at least your wp-core for a while
Make sure that your www and below are under the www-data or different user than that domains cpanel user.
And last gem of wisdom, dont install just anyshit u find via google, or just on the likes of codelist.cc ;D
If you need assistance or guidenace with ioncube - id be happy to offer my wisdom, I am the singular and 5 years reigning undisputed and only living thing to break and decrypt ioncubes dynamic key. You wanna protet your sh**, as individual or even espcially as an author.. then this is the way, And can offer a few sneaky tips on how to deter any potential future persons mad enough to tackle DK.
To fuly protect, from both inspection, and from interception of data, any static based html site or pages, then you can do so via the likes of Flutterflow's web client, opting for canvas based webview - and for data, connect direct to firebase firestore, & any choice of auth they offer. Ive been loosing hair for past 4 weeks in fuitle attempts to break into it , and its just not happening., best of all u retain full interactivity with any elements contained within.
Oh regarding permissions, one thing u can check (assuming u have WHM access) or root user, in WHM->Tweak Settings-> Disable the File Protect option if its enabled. that locks permnission in place. for future u could initially set correct persimssions, and after enable that as an additional safeguard against future incursions
