You (or your Imaginary Friends) should be able to check the logs to see where said hacker got in: Raw Access Logs in cPanel.
It might be a good idea to start a bit fresh, rather than trying to find files that aren't legit.
Make a backup using the BackupBuddy plugin. Review WP user accounts (you might need to look at the db directly, using phpmyadmin in your cPanel), and delete any dodgy ones. Delete all files in your public_html folder (aka web root) except the wp-config.php file and the wp-content folder and. Upload a fresh copy of WordPress, delete wp-config-sample.php. Upload fresh copies of the contents of the Themes and Plugins folders, overwriting any stuff that exists on the server.
Suggestion
It might be a good idea to start a bit fresh, rather than trying to find files that aren't legit.
Make a backup using the BackupBuddy plugin.
Review WP user accounts (you might need to look at the db directly, using phpmyadmin in your cPanel), and delete any dodgy ones.
Delete all files in your public_html folder (aka web root) except the wp-config.php file and the wp-content folder and.
Upload a fresh copy of WordPress, delete wp-config-sample.php.
Upload fresh copies of the contents of the Themes and Plugins folders, overwriting any stuff that exists on the server.
And stuff.