Hi @geirrosset,
Yes, you’ve almost certainly been hacked using the unsafe files_dir deployment. It is just a matter of time if your OJS/OMP/OPS is deployed with the files_dir inside the web root without protection. (That’s why we have warnings in the installation form, documentation, and elsewhere.)
If your host doesn’t allow you to store anything outside the web root, you can still protect yourself by using a mechanism like .htaccess to prevent direct access to files in the files_dir.
In the meantime, your clean-up is going to be roughly the same as for any web application (like Drupal or Wordpress). Essentially you’ll have to review everything to make sure it’s not been modified, but there are tools to help with this. There are some suggestions in the forum e.g. on this thread.
Regards,
Alec Smecher
Public Knowledge Project Team