usually ftp or ssh, did you change these passwords? if not, then change it.
If there is a hole in the code somewhere, then the task is also simply solved by setting the necessary rights to files and directories, no one can write in php, and the upload of a new file is easy to track.

It seems to me that it's all through ftp / sh, etc. climbs in normal mode from ordinary client machines. This is the easiest way, obviously.

In my humble experience: bots do this through already known holes in Joomla / phpbb / etz, fill in phpshell and further on. As a rule, infection occurs at about the same time as the pouring of the shell, and the shell is not removed. Therefore, you need to look at the time of editing / creating dubious files, look in the web server logs during this period of access to unusual urls and look for the desired shell there. After finding the shell, look at the time of its creation and look at the logs for a call to the web server at exactly that time in order to find which URL was requested in order to activate the hole and download the shell through it.
Well, as one of the options.

Read the logs, they rulez. And not just Web servers. Once in /var/log/messages (if my memory serves me) I came across messages from wget, which was launched to upload a file. In time, I then went through access.log and found the URI of the script, into which the bug was substituted in advance.