You have installed your system so that the files directory is a subdirectory of OJS. This means that it is accessible from web and can be easily hacked. The correct place to save your submission files is outside the webroot.
So if your OJS is for examle in /var/www/public_html/
, you should place your files directory to /var/www/files
.
You should move your files directory
Update config.inc.php to match the new location of your files directory
Remove the scripts the hacker has uploaded. I would also replace all OJS installation files with a fresh copy of the same version to make sure there are no backdoors
Change your mysql password
See also:
https://github.com/pkp/ojs/blob/master/docs/README#L58