Our site was hacked and so interesting things happened. As I was cleaning out the files (a whole lot injected PHP and edited HTML) I found that there were 4 files that kept returning after being deleted.
They are wprx, cloki, xm, and config.json. Two look to be compiled code and the others had IP addresses.
I did some research and found some items in /home//Maildir/new with recent dates
When I opened one, I found an email that contained the below (I masked the user for security purposes)
Notice that it looks for cloki, one of the files that won’t go away, and executes some code in /dev. It appears that a hack is being done by email to trigger Cron jobs.