Hi Mustafa,
I also forgot to mention something earlier, and in support of my assumption, I present following logic:
Before the change of joomla administrator took place, there was a similar change before a month in a different client's account. The joomla as well as xoops user's table were made totally empty! Joomla administrator dir was password protected and not publicly accessable.
The second client the admin dir was also pass protected.
How did both clients got affected?
In xoops, xoops_profile data was there and only xoops_user was emptied by the hacker.
Both the client's accounts were victimized such that qmail server was used to send emails in the domain name of the clients as relay server.
In the first case (xoops), the hacker used a remote ip to relay spam of the domain with xoops cms.
After I blocked his ips, he installed a trojan through changing joomla administrator and he managed to hack the joomla admin by changing the admin status of registered user, installed a trojan and relayed spam bomd locally.
Otherwise there is nothing to explain how the hacker "hacked two accounts from different clients", one had joomla and the other joomla/xoops.
Both were used to create spam bombs on my server.
The pattern involved in deleting usertable, relaying spam, etc, and the intelligence from log files gathered, I am sure that YOU ARE WRONG in your assumption , that Kloxo-MR is secure, and thus I repeat once again that you urgently need to look in this matter.
No other thing could explain other than Kloxo-MR possibility to hack. Now that the exploit above is known to me, I am sure that thats how it happened earlier.
I request you to check 10 times as it is most likely something that you are missing.