@kpv I am not sure about that. I only had 1 WP site and 1 user in the VPS. I have already reinstalled the system and cleaned the hack (I hope)
The malware was in a lot of plugins and themes. I had to grab fresh copies of all of them from the source. After that, I ran a search in the database and removed the malicious code.
Lastly, I ran Wordfence scan and it did not find anything so I really hope I cleaned it 100%
Thanks for the update. It is important to understand how the hack happened (e.g. through a wp plugin, or password, or system hack etc) and fix it, otherwise another hack will happen sooner or later.
https://wordpress.org/plugins/sucuri-scanner/ Does a good job of comparing core files, enable Sucuri > Settings > WordPress Integrity Diff Utility and finding non wordpress files in the core folders.