Support

Admin Tools' DFIShield and .htaccess Maker prevent attacks which use relative directories (../ in the filename). This limits the attacker to uploading arbitrary files in AcyMailing's media subfolder. This limits the scope of the attack.

Admin Tools' .htaccess Maker prevents direct access of .php files beyond Joomla's index.php files (root, api directory, administrator directory) and the administrator/components/com_joomlaupdate/extract.php file used for Joomla! upgrades (this has its own very tight security; I contributed it myself). Therefore, the files uploaded to media/com_acym/images/thumbnails-folder cannot be executed. This neuters the effects of the attack.

Finally, if you are using Admin Tools' PHP File Change Scanner it will detect the .png.php files being uploaded and report them to you, so you know you've got to clean 'em up.

So, yes. The attacker could only upload those files, but they were blocked from using them. An apt analogy would be that you got shot in the chest, but the bullet was stopped by your bullet-proof vest.

the php file scanner would only help me if I had ran it before, right? if it's the first scan it finds a lot of suspicious files

Correct. The PHP File Change Scanner should be run daily, and also right before and right after you update Joomla! and/or extensions. This is needed to establish which files are safe.

For detailed information please read https://www.akeeba.com/documentation/admin-tools-joomla/php-file-scanner-reports.html. The information under Threat Score tells you how you are expected to use this feature for best results.