Was there logins in the auth.log from an outsider using root or a bash_history showing someone was using the root account? It's a bad idea to have ssh access open to root accounts. You should use another account and SU. Also you should have hidden bastion server access and not allow any ssh from IP's other than two bastions (the other as a backup).
I ask because rarely does a hack happen with a root password. Typically it's poor code allow cross-site scripting, SQL injection etc. etc. If there is no proof of shell access search access logs for PUTS and POSTS to narrow it down. Or, check your database integrity to see if it was compromised.