Ok, we made a second installation in a different folder with a blank revive adserver 3.2.4 and followed the instructions here https://www.revive-adserver.com/support/upgrading/.
In the old OpenX we removed the injected code from the ox_zones tables and a user with the userid 999 with admin rights named "Maintenance" and then we copied the database, because it seemed to be clean then. I followed the instructions from here: http://www.adserveropenx.com/how-to-remove-malware-or-injection-from-openx/
Anything wrong in this procedure? I thought, that will do the job.
Passwords were all changed, I'll htaccess the api - folder too now.
I removed the file adxmlrpc.php from the root folder to "disable" XML-RPC - is there a better way to disable this than removing the file?
Thanks for your hints and tips!