I have a weird problem on server after the attack. In the web folder I have the index.php with malicious content. When I try to delete, rename it or change its content it is re-created somehow.
I checked crontab and ps but I haven't found anything suspicious.
Also it is very interesting that if I change the owner of the file to root it is still re-creating without any problem.
Server system name and version: Debian GNU/Linux 8 (jessie)
Probably some uninvited process is running on background and recreates the file if it finds out index.php is missing. Alternatively, the attacker did setup incron which then reacts to file deletion event.
Anyway, stop using that server in production if you did not already do so and disconnect it from the public internet. For educational purposes you can continue investigating it in an isolated environment to see what hit your server and from where.
Other than that, reinstall your server and restore from backups.
I assume that this is a forensic exercise to find out what attacked you and not trying to get this compromised server back into a serviceable state.
There is only one way to achieve the latter:
Burn the machine to the ground and rebuild it from scratch.
Things "reappearing" is often done through cron, often using heavily disguised scripts full of control characters that shell processes simply interpret as regular text.
Finally I have found rapid solution.
I hope it will help somebody