Have you been hacked and not qualified to investigate a hack?
We make an image of the switched off system from the outside and back it up for ourselves (why? Perhaps you will find someone who can investigate)
We take a list of software and remove from it everything that is not required for the service to work
- phpmyadmin, ftp, just examples of such software
We demolish the OS (consider that it is compromised root and all the OS tools)
And we install according to a good manual with a fair amount of paranoia (most often one article will not help - take your notes during installation) We
isolate everything from everything
as
much as possible client and server side)
Your cms and scripts should be updated regularly
Keep track of the logs - often hacking occurs within a few days and a simple grep on the logs will show who you need to ban by ip and where to put the captcha
The fact that you have backups makes your situation many times better

Close all access to the database from the outside. MySQL should only listen on local addresses.
Access to the server should be only via ssh with a key, not a password.
Remove PHPMyAdmin, set up SQLWorkbench with access via ssh tunnel.

In general, there is zero information in the post, but I see there is a phpmyadmin tag, maybe it's in it? there is some holey version. However, I don't understand how to use it at all.

So the hole is not in the passwords, but most likely they break through the CMS or in some other way gaining root privileges.
Disconnect the server from the tyrnet. From the word at all, leave only the console.
Merge the system image for further study.
If a host with a raid - disassemble the raid and reassemble it with a different order of disks, recreate it with raid formatting.
Reinstall the system, take only text configs from backups, and then after they have been viewed. Distrib merge from the original server with rechecking the checksums.
(All of this is to ensure a clean installation machine and a clean distribution)
As few services as possible outside, all services on non-standard ports, everything that is authorized by keys or certificates - you need to use only with keys / certificates
Constantly look at the logs - there will probably be more attempts.
Yes, some points give away paranoia :) But healthy paranoia is better...

lord these crypto-ransomware in tyrnet to the bulb.
Perhaps you need to set up a security system ??
to prevent the left from going where it is not necessary.
or not ??

https://www.phpmyadmin.net/security/PMASA-2019-2/

As far as I understand, from your story, the attackers created a user who was given root rights. You were hacked using SQL injection, and they injected something like this:

CREATE USER 'intruder'@'localhost' IDENTIFIED BY 'intruder_password';
GRANT PROXY ON 'admin'@'localhost' TO 'intruder'@'localhost'

completely cut off access from the external network, removed the presence of a grat proxy from the root, changed passwords on all accounts, everything was fine exactly one day ...

$_POST[$_post] = mysql_real_escape_string($_POST[$_post])