They run it on your server, just like any other script runs (including WordPress).
In the log you provided, it looks like the hacker knew your password. Perhaps you are using the same password on other sites, and he somehow gained access to one of them?
Always set different and complex passwords; combine a large character range; include special characters and so on…