Move to a new server means exactly what it says. New OS, new copies of all installed web apps from trusted sources (from vendors, not from backups), data restored from a known good backup (yes, with possible data loss as data added recently is compromised). If I need to explain this in detail for OP, then I would suggest running a server is not a good idea, and it should be left to professionals. That may sound harsh, and it probably is a touch, but at the end of the day these are things that need considerable skill to manage and maintain and the risks of putting services online are often not known or understood by amateurs.
The only reason I raised my background was that I thought it might be important to clarify why I made the recommendations I did, and that they have been made from a best practices perspective in a large Uni environment, from someone who is passionate about InfoSec, and involved in that community. I wasn't trying to start a pissing contest.
I actually neglected to mention my experience in the penetration testing space (both in CTF and testing our own internal applications) where, with permission from the owner of an application or server, it is literally attacked using many of the same tools the bad guys use to try and compromise the server or application. This allows us to find the same vulnerabilities they would find, and fix them before they're found by the bad guys. White hat hacking, if you wish to give it a hat.
I believe removing the malware and trying to move forward from there is incredibly dangerous and, in my experience as a sysadmin (before I was a developer), this approach results in an unstable environment that can never, ever be trusted again. These are often then compromised again, as we have seen in this case, the attackers often maintain persistence by leaving a backdoor in a hidden place (in an existing file, hidden directory etc..)
I'm also yet to see anyone else mention the users and their data. That of all this is the most disappointing thing to me (and I'm sure to them if they knew!). Even if the server was cleaned up (which I don't recommend) there has been unknown malicious users on the system, they have likely exfiltrated the data from the applications (especially if there is credit card data around) and either on-selling it or using it for other purposes.
So at the end of the day, this is really just a difference of opinion - but it just so happens InfoSec is just one area I'm incredibly passionate about, have considerable skills in, and firmly believe that in situations such as this that the worst case should be assumed.
You're a valued member of the Moodle community Ken, please don't take any of my comments as an attack. They're not intended that way.