MWZ

What are you ? A hater, a player, a hacker, a developer or what ? I can't find a way to classify you seriously... :/

It is a highly chance, that they backdoored it to protect it from being cracked or shared. A malicious user, can have found this weakness and now he is abusing it in your server. They maybe, can not admit that, but it is a possible true history. If you want a tip to see how the GM Privileges are being generated, do this : 1) In your website, make sure to log 'all' the SQL queries to a txt file, this way, if it is an injection happening in your website you will know. 2) The same for the game server, find a way to log it to a file and verify it. If you don't find it in any of the two ways, then it is surely a private backdoor, not that if in case of 2) you find something it won't be a backdoor, it can also be... depending on which query was used for it.

Some packages, mainly the ones which have the source closed, or partially closed, contains these types of backdoors, that sometimes the author makes to protect his work, the main problem of this, is that there are ways to find them out, and then people that couldn't had this information, get their hands on it, causing all these troubles. Like happened to him today. Want to avoid all that ? L2JServer.com :).

Obviously, you did a good option regarding website and ddos protection. Although it is sure thing, that your pack must be backdoored somehow...