Our site was hacked and so interesting things happened. As I was cleaning out the files (a whole lot injected PHP and edited HTML) I found that there were 4 files that kept returning after being deleted.
They are wprx, cloki, xm, and config.json. Two look to be compiled code and the others had IP addresses.
I did some research and found some items in /home//Maildir/new with recent dates
When I opened one, I found an email that contained the below (I masked the user for security purposes)
From: firstname.lastname@example.org (Cron Daemon)
Subject: Cron *****@ontario pidof cloki || exec /dev/shm/cloki >/dev/null 2>&1 &
Notice that it looks for cloki, one of the files that won’t go away, and executes some code in /dev. It appears that a hack is being done by email to trigger Cron jobs.