OJS 3.4.0-4 is several releases behind, and it’s likely that there are known and already-fixed issues in it (e.g. stored XSS problems) that may have been used to gain access to the installation and make changes. Make sure you keep up to date with the latest release in any of the supported branches (currently 3.3.0-x, 3.4.0-x, and 3.5.0-x). See this recent memo.
I still think local modifications are the likeliest cause. In particular, check to make sure that there are no unexpected plugins in plugins/generic. If that doesn’t turn anything up, use a tool like diff to compare your installation’s contents to a fresh download of the same version.
Regards,
Alec Smecher
Public Knowledge Project Team