Lemme guess, a Wordpress site?
If you had CSF, modsec and Wordfence configured, along with strong passwords then this shouldn't happen. If the computer that you normally access the site admin with, is compromised, then all bets are off.
I suggest you start with a fresh installation of the (virtual) server and restore the site(s) from backup.
Coincides with an email report that arrived this evening, for a site that I run:
March 29, 2020 11:38am
45.12.32.174 (Russian Federation)
Blocked for ThemeGrill Demo Importer < 1.6.2 - Auth Bypass & Database Wipe in query string: do_reset_wordpress=1
March 28, 2020 6:48am
37.59.51.181 (France)
Blocked for Slider Revolution: Local File Inclusion
March 28, 2020 2:59am
188.166.16.17 (Netherlands)
Blocked for WAF-RULE-194
March 28, 2020 2:59am
188.166.16.17 (Netherlands)
Blocked for TRX Addons >= 1.6.50 - Remote Code Execution
Makes a change to not see a USA hack attempt.
IF you have access to the official CSF GUI, then there's a useful "Check Server Security" option, that gives good advice. See post:
http://forum.centos-webpanel.com/index.php?topic=8576