Yes, I will also suggest you to secure your server before restoring your account. Also scan your full server and please see if there are any root symlinks are available. This kind of attack generally occurs when root level hacking occurred. I would suggest you to have a look on below security checklist that you should perform :
==================================
Install CSF
Inistall Mod-Security with Advanced Rules
Inistall Clamav Anti Virus
Inistall Maldet and scan your full server
Inistall LSM
Inistall PRM
Lockdown & Hardening the Root Password
Secure SSHD Port
sysctl.conf Hardening
host.conf Hardening
Network Security with hosts.allow & hosts.deny
nsswitch.conf Hardening
Enable DDOS Protection
Root Login Email Notifications
Noexec, Nosuid Temporary Directories (noexec Directories such as /tmp, /var/tmp, /dev/shm)
Security Updates as released by OS and/or Control Panel
Disable Unwanted Services
Enable PHP Open_Basedir Protection
Enable mod_userdir Protection
Securing Console Access
PHP5 Hardening with disabling php functions.
Configuring Anti-Spam Features to Reduce Spam
==================================
