It looks like hacking the OS itself on a VPS. You are concentrating on sites - perhaps you are looking in the wrong place.
Update your OS (by the way, which one do you have?). If it is possible to stop the server for a while and have all the backups, then it may be better (and faster) to install a fresh OS from a clean image from the offsite, and then raise the backups.
In general, you need a competent administrator, not a site specialist, but an OS administrator who understands system security. He may not have to be hired permanently, but simply given one-time work on installing the OS, setting up security, uploading and raising sites. But don't skimp on it too much, you don't want to see that green flag again in a couple of weeks.

Change host. Maybe the problem is not yours.

Update everything that can be updated (os, apache, nginx, php, cms, cms plugins) + How to protect sites from hacking?
Move cms admins to non-standard url addresses and close them via www.softtime.ru/info/apache.php?id_article=27
Prohibit execution of php code in directories where there should be no php code at all, especially if user files can be uploaded into it.
Prevent the user from which the web server is running from writing and reading directories that he should not touch.

just look at the logs of how you were hacked and close the hole

proftpd installed? What version?
UPD: as expected, this is CVE-2015-3306 ( habrahabr.ru/post/257027/)

Thanks everyone for the replies and recommendations! The viruses were removed, according to the logs it was determined that the hack was made through holes in the joomla. The mod_copy module has been disabled.