If there is root access via ssh for the time of the intervention - may be restricted to one specific IP - I can check what's up ASAP. I've done similar things more often than I'd have wished - un-maintained/un-updated PHP in WP or similar web apps is the usual culprit, if you're in luck. If you're out of luck, the server may have been rootkit-ed, and then the only safe way out is a fresh install on a clean server. Anyway, first thing is to get at least a clear diagnose. So or so, I can help, if all the way out or not can be said only after seeing the damage.