Hacked file regenerates whenever it is deleted - ubuntu/apache2 [duplicate]

Have just had a hacked website flagged by Sucuri

There were a number of backdoor PHP files flagged, which I HAVE been able to delete

However, the index.php file has a spam link injected in to the bottom of it.

I've tried deleting it - which DOES work, but file instantly regenerates.

I've tried changing permissions (it is set to -rw-r--r-- www-data:www-data) to root and editing the file - it instantly changes back to the above permissions on save, and my edit is gone

Sucuri is now flagging the site as clean i.e. no more backdoor present BUT there's obviously something there that is still doing this.

Server has a lot of other sites on it too, and none of these are compromised (obviously, anyway) - and so it seems to be something in this specific site's folder that is responsible.

Is there a way of monitoring WHAT is manipulating the index.php file in order to trace where the problem is being generated from? Any other ideas? (Other than start again from scratch, which I CAN do, but not easily).

Any input welcome - thanks!

With a 644 access flag, the write is comming from the user account, say apache. Maybe you can play a trick on the lurking APT.

Make the crazy move to give this file 406 (r-----wr-) permission and use an account from the others group to edit the file. If the change stays, setup file access auditing, revert to permissions to 644 and see.

If the file changes despite the 406 permissions, your APT likely has root access and you should start rebuilding. It's not your server anymore.

Good luck, and congrats for the cleaning you did so far...