FOUND IT from the trace!
THANK YOU OBT!
Whoever installed it originally had made boxes for all 16 ports.
When I was out there in Oct. I corrected the hacking.
I personally changed the passwords on the Administrator, Message Manager's, Phantom boxes and eliminated the ones assigned to the VM ports.
I told them to change or put new PWs on all their own boxes.
What I didn't know was that there was a mailbox with no extension on it so no one put a password on it.
Apparently there was another hacking attempt mid January and that 1 single box was found vulnerable so they attempted exploit it again. Fortunately I had blocked it from Co access so it got nowhere other than continuously seizing the ports. I had to disconnect them both just it make the box idle long enough to even see the setup.
It is ALL so clear AFTER you find it!