If they didn't use any hooks and checked the logs that no files has been uploaded - then gvh is safe (not hacked) I think.
What comes to mind is to submit password reset like a real user (automated) and at the same visit cron url - the reason is to simply hide that client database of one of...
So it's definitely related to Cron - > Hooks.
$cron->logActivity("Completed");
$cron->emailReport();
run_hook("DailyCronJob", array());
$cron->log("Cron Job Hooks Run...");
if ($cron->isScheduled("backups")) {
http://pastebin.com/tjkjws2q
Later will have a better code :D
Edit: this is from whmcs 5.2.10 decoded but still code is similar to latest one ones like 5.3.*: https://raw.githubusercontent.com/kiddo90/whmcs_5.2.10_decoded_nulled_mtimer/master/admin/cron.php
Edit 2: after analyzing the...