I previous asked this question on StackOverflow. I was recommended here for help. There are some more details on that question.
Someone has somehow gained unauthorized access to my website. They have been changing the PHP source code of the site to inject Google ads. My database and other sites on the hosting plan seem unaffected, though I have everything backed up just in case they are able to get deeper access.
The site is hosted on a shared hosting, It's coded in PHP (version 7.4) and running under Apache.
The hosting provider was not helpful. The recommended changing my passwords (which I had already done: FTP, CPanel, and hosting account passwords). They claim they don't have any logs on the system to check. The ads are still being re-inserted into the code every time I remove them.
The injected code is different every time, and does not appear to be computer-generated, so I am certain the changes are being made by an actual human with access to the system, not malware.
At the recommendation of one of the StackOverflow answers, I am scanning the site for vulnerabilities with Arachni. That scan has been running for about an hour and a half and is still going, but so far nothing helpful has surfaced there.
I need to figure out how the attacker is gaining access to change my source code. I'm out of ideas for places to look. How can I detect how the attacker is accessing the server so I can shut them out?
