Was there logins in the auth.log from an outsider using root or a bash_history showing someone was using the root account? It's a bad idea to have ssh access open to root accounts. You should use another account and SU. Also you should have hidden bastion server access and not allow any ssh from IP's other than two bastions (the other as a backup).
I ask because rarely does a hack happen with a root password. Typically it's poor code allow cross-site scripting, SQL injection etc. etc. If there is no proof of shell access search access logs for PUTS and POSTS to narrow it down. Or, check your database integrity to see if it was compromised.
Some feedback from the tech team:
We are not running SSH on standard ports anyway and direct root logins are also prohibited. Once again our password is very strong and cannot be brute forced, only hosting provider had access to our server for management purposes.
The results of the findings of our investigation regarding the compromised server:
It seems the reason is an ex-employee's frenzy. We learned that they had the same issue with other servers as well.
Right now we have downloaded a copy of the main database and deleted it from the server, and stopped execution of DaDice gameplay scripts completely. They have offered to either scan our server and make sure there are no Trojans or rootkits or any other threat active on the server or to build up a new matching server with a fresh install of our gameplay script / database etc. We have opted for a new server and are expecting to be up and running sometime tomorrow.