Rebuild the system from scratch. This is most correct for the server.

> But this webmaster was not in sudoers. It turns out that I have some kind of rootkit?
Nothing works, most likely some kind of exploit. It is better to roll over the system from scratch and any non-static (php scripts etc.) from the backup. Otherwise, there is a chance that something will not be found.

1. Try the unhide utility first to find the hidden process (if there is one)
2. reinstall all packages. Here is the script:
#!/bin/bash
for pkg in `dpkg --get-selections|awk '{print $1}'| egrep -v '(dpkg|apt)'`; do apt-get install --reinstall -y $pkg; done
3. Use tripwire to check file integrity (for the future)

Do not be greedy, hire an expensive admin, let him do everything for you and tell you later what and how he did, and what and how you need to do. This is a one-time fee, as a result, if you stretch it for the duration of the server, it will not be expensive.

I once met with a rootkit, the rkhunter did not find it, it was about 4 years ago, I don’t remember the details, he skillfully hid from the TOP ps and much more, but he was blessed with an outgoing connection.
further along the chain of this connection, a “kernel module” was found ... reinstallation resolved the issue.
also recently, one of my friends had a site on a null engine that had not changed for 5 years, and through it they downloaded a file (shell) to me, collected the “client irk” and also hooked up to a remote server. the process was running as user apache
After clearing a lot, I found a file that was used by apache. a simple f3 on the executable file showed the connection parameters with the irk server, I went there and talked with the admin of that channel, he had more than 250 such bots.
he steered all the servers directly from the channel, he said that he was selling servers to spammers, he said how he got to me, he said that he was from Malaysia. sells servers from 5 to 100 bucks.
asked me to give him a shell only for “IRKproxy” nothing more :))
it makes sense to look for “php shell” or similar “things”
I had a perl picture by the way, a jpg file inside with a pearl script for assembling the irk daemon :))
experience I then got a lot :)

In this case, I do data migration to an intermediate server, reinstall the current one and migrate back. Well, or just to another clean server.
Linux is a complex system. Every system administrator wants to know where the rootkit sits. But there are too many places like this. I missed something and all the many days of work for nothing. In the future, the reinstall is easier.

It is strange in general that the hoster informed you about this after complaints, and not you yourself found out.
By the way, due to the stinginess of server holders towards normal admins, this happens, although to maintain an average server remotely, it is quite normal to have at least a remote admin.
That is, it turns out that you did not properly monitor the server, nor did you monitor it, did not look at the logs - so what do you want?
Ideally, set up a server from scratch, hire a person to adequately set up protection. Further, either pull up knowledge yourself, or leave a person on a salary, at least for the initial time.
I don’t understand how you can not track visits via ssh - this is the time. (at least logwatch would have been screwed)
I don’t understand how you can leave ssh on a standard port and not block the number of connection attempts to it from one IP - that’s two.
And I don’t understand at all how you can dive into the ocean without knowing how to swim - these are three.

If you have a kernel with module support, then there is also the possibility of kernel rootkits.
Reinstalling the server is the easiest and fastest way to fix the problem.

You should also configure SSH if you think: disable protocol version 1, disable root login, disable password authorization and leave only by keys. Take care of setting up access rights: remove all users from the wheel group (ideally, leave each user in their own group altogether), remove sudo.
You can look behind the rootkit if it didn’t get into the kernel using the lsof utility - in Linux it’s difficult to hide work with any files, look for all sorts of entries, like (deleted), maybe you’re lucky. But if the hacker got root, then he most likely put a module into the kernel that is able to hide, which is quite simple and students do it in a month, as it were, the power of Linux is playing against him here. Only reinstallation will save you from this. And take care of root in the future, like the apple of an eye.

rearrange the SSH daemon, its binary can be replaced, and log in with a password, but it will not be logged, and the attacker will easily log in, change the password at least 10 times