PHP

Is it possible to protect yourself from this virus on the site?

The server is being attacked by a virus. I don't know where the vulnerability is. Scanned with Aibolit antivirus, deleted virus files, but the next day they reappear.
Here is what I found in the logs:

91.134.248.211 - - [01/Dec/2018:00:02:46 +0200] "GET /differences.php?homework-help-anglo-saxons1111111111111%22%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45),CHAR(45,120,49,55,45,81,45),CHAR(45,120,49,56,45,81,45),CHAR(45,120,49,57,45,81,45),CHAR(45,120,50,48,45,81,45),CHAR(45,120,50,49,45,81,45),CHAR(45,120,50,50,45,81,45),CHAR(45,120,50,51,45,81,45),CHAR(45,120,50,52,45,81,45),CHAR(45,120,50,53,45,81,45),CHAR(45,120,50,54,45,81,45),CHAR(45,120,50,55,45,81,45),CHAR(45,120,50,56,45,81,45),CHAR(45,120,50,57,45,81,45),CHAR(45,120,51,48,45,81,45),CHAR(45,120,51,49,45,81,45),CHAR(45,120,51,50,45,81,45),CHAR(45,120,51,51,45,81,45),CHAR(45,120,51,52,45,81,45),CHAR(45,120,51,53,45,81,45),CHAR(45,120,51,54,45,81,45),CHAR(45,120,51,55,45,81,45),CHAR(45,120,51,56,45,81,45),CHAR(45,120,51,57,45,81,45),CHAR(45,120,52,48,45,81,45),CHAR(45,120,52,49,45,81,45),CHAR(45,120,52,50,45,81,45),CHAR(45,120,52,51,45,81,45),CHAR(45,120,52,52,45,81,45),CHAR(45,120,52,53,45,81,45),CHAR(45,120,52,54,45,81,45),CHAR(45,120,52,55,45,81,45),CHAR(45,120,52,56,45,81,45),CHAR(45,120,52,57,45,81,45),CHAR(45,120,53,48,45,81,45)%20--%20/*%20order%20by%20%22as HTTP/1.1" 301 3557 "-" "-" (---)
91.134.248.211 - - [01/Dec/2018:00:02:46 +0200] "GET /differences.php?homework-help-anglo-saxons= HTTP/1.0" 301 699 "-" "Opera/9.27" (---)

Is someone requesting access to the differences.php file?? At the root of the site or where? Because there is no such file at the root and it seems that there are no other folders.
Plus, look in the query for some more SQL query.
Is it just the virus that works?
Can you give me some advice on how to counter this attack?
Is it possible to somehow protect against such external requests for changes in files, in the database?
At the same time, I also noticed such a request, index.php is already on my server, and the link leads to one of the products on the site, only the url is modified by some kind of injection:

118.67.248.190 - - [30/Nov/2018:08:14:42 +0200] "GET /index.php?product_id=3573&route=product/product1111111111111'%20UNION%20SELECT%20CHAR(45,120,49,45,81,45)--%20%20 HTTP/1.1" 301 784 "-" "-" (---)