Update to the latest version. Before 7.32 there was a vulnerability. I got hacked too. After the update everything was fine.

Well, if you don’t understand the logs, then no way, apparently a smart enough person turned out not to spoil the logs.
You can have someone audit the entire code for a fee, let them look for where the holes are.
You can also hang up some tricky activity monitor or logger, and wait until the shell is uploaded back :)

look at the date when the shells were created, then go to the apache log and see what requests were at that time.

How to detect a virus on a website? Here are links to shell scanners

There are many ways to hack. It's not always the site itself that's the problem.
Drupal comes out with Security Updates all the time. Until I find out about the problem and release an update of the module, a couple of months may pass.
If I were you, I would check "Status Report" and "Available updates" more often

How to detect a hole:
- check all input forms on the site, especially for loading sites
- check plugins and themes for malicious code
- check the URLs of self-written scripts through which any parameters are passed
- check if someone logged into your FTP then with your credits :) Of course
, you need to have an idea of ​​what the vulnerable code looks like, this is at least the absence of filtering input parameters and the absence of file type checking. You can not manually, of course, but with automated tools like https://metascan.ru or https://acunetix.com