Nothing was taken from the compromised server except the database. Backups were used for the code and configuration. Some moderators and I checked (partly manually and partly automatically) the differences between the backed up database and the live database and found no backdoors or anything obvious wrong. It is possible that the content of some posts and things were modified, though I don't think so.
Have you been able to figure out how the attacker managed to get hold of the KVM access credentials with which he convinced the hosting support about his authenticity ? Because, as I see, that was the starting point of the attack.