I'm not blaming smf
I was thinking hacker did it from one of the admin logins and from Themes and Layout Settings. Thats why i gave here raw logs maybe there is something in there.
This one looks suspicous to me
Have only 2 admins and none of us went to theme settings. Thats why i changed my pass and moved my other 2 admins to different group. Now I'll wait and see what happens.
Edit: Any tips for "- I would bet that the hacker left some package behind" What should i look for? Can you filter it for me, for example 500byte or blabla.php etc. Thanks.