This question has been answered by markh. See the first response.
<base href="[[!++site_url]]">
Hello! To my knowledge there are no known vulnerabilities in 2.5.5 at this time. When you mention you solved it by "cleaning cache", that makes me wonder if you might be leaving an actual vulnerability/shell/ in place, which could explain why it keeps happening.
Also when you say they "rewrite my menu links with links to other domain", are the menu links still pointing to the right path, just on a wrong domain? If so, you might just need to make sure that thetag in your site's header is uncached. If you leave that cached, and your server will respond with your site no matter the domain used to access its IP, it's rather easy for what's called "cache poisoning" to occur. That's not a hack, just poor configuration, and luckily quite easy to solve. Uncaching the site url in the base tag, and additionally using htaccess/nginx rewrites to force the right domain to be used will prevent that from happening again.<base href="[[!++site_url]]">