Firstly, now is a great time to upgrade to 3.7.
Secondly, if your client is using a windows box then see below:
Now please tell me you have an SQL backup of the "database?" In your specific case I would take all my directory folders that have your customization and restore them over a new install. Your clients computer is infected with backdoor. Malwarebytes may help but longshot. Look for ANY exceptions in your firewall.
Don't bother trying to repair that database unless you have no options left.In the case of a hacker you always have to reformat data. Did you leave port 3389 Remote Desktop open? It's going to happen again by the same hacker using different ips...sorry to say. If your using a windows box
#1)use google recaptcha code
https://developers.google.com/recaptcha/#2) right click on task manager>Performance Tab>Open Resource Monitor at bottom>Overview>Focus 100% on network tab. keep an eye out for RDP on 3389 or FTP 25
You'll find your hacker.
temp used this program to stop unwanted attempts 3 tries and locked out
#3)
https://rdpguard.com/?v=2-6-3&fam=x64OR this one
https://syspeace.com/I take it your Client does not know how to lock down a server (not bashing)go to "Local Security Policy" the account policies> account lockout policy and account lockout threshold = 2
Now if they guess wrong two times they must call you to get in.
I won't get into windows firewall due to its complexity and possibility of locking out everyone.. SO I can get you a PowerShell script that will DENY all IPS from China ....You can always whitelist with a trusted China Ips later if you want, but that's little more complicated but you can do it.[/i]Just ask me if you need it.
Lastly, what is the Event Viewer>Windows Logs>Security>Filter current log>Keywords pull down to you see Audit Failure.....is your event ID 4776?
If so read that log they probably used an dictionary password guessing attack. RENAME: "admin" and "administrator " TO ANYTHING but those names. That's easy prey.
Tell your customer he's $%%ed ... just kidding you can fix this but start with new database rebuild from there. Hope I didn't scare you but security is full time job!